Summary

Management Groups are containers used to group devices and the software installed on those devices. Management Groups are defined using configurable rules that look at various properties of the devices and their installed software, these are then evaluated to determine the group membership. This means that Management Group membership adapts to changes to the devices and software in your environment.

On this page:

Management Groups overview

Management Groups are used by Tachyon to determine:

  • The targets for questions, actions, and reporting
  • User permissions for targeting to particular devices based on Management Group membership.

In terms of permissions for determining how Tachyon users interact with the devices in your network, Management Groups work alongside Instruction sets.

In Tachyon, Management Groups are created in two different ways:

  • Rule based - the  page lets you add, edit, delete and evaluate Management Groups that are based on rules
  • Direct based - these use scripts to create Management Groups by importing lists of devices using FQDN names only, this type of Management Group has no associated rules and cannot be edited and evaluated from the Management Groups page.

Both types of Management Group have the following properties:

  • Each device known to Tachyon can be assigned to any number of Management Groups.
  • Roles can be associated with specific Management Groups, so that users with those roles will only be able to target the devices in their Management Groups
  • Management Groups can only contain devices, and they are completely independent of any other Management Group, even if they contain the same devices
  • Each Management Group must have a unique name which is not case-sensitive.

Please note the following considerations:

  • Devices not assigned to any child Management Group will still be accessible, as all devices are members of the default All Devices Management Group
  • Child Management Groups can only be created under the default All Devices Management Group
  • The maximum number of child Management Groups are four (Five, including All Devices)
  • However, there is no current limit on the number of child or "sibling" Management Groups which can be created. 

Permissions

The following roles can add Users and Groups, Roles, Management Groups, Assignments, and Delegation:

  • Full Administrator
  • Group Administrator - cannot create roles unless they are delegated.

You can find out more about the system and custom roles available in Tachyon on the Roles page.

Connectors

Management Groups use device data stored in an Inventory repository, which is populated using one or more inventory connectors, as described in Connectors page. This is sufficient for inventory-based applications like AppClarity, Application Migration, and Patch Success.

If you want client-based applications like Explorer, Experience and Guaranteed State to use the Management Groups, then you must add a Tachyon Connector, which synchronizes its own data with inventory data. The username and password you provide for the Connector must be a valid Tachyon user and belong to the Management Group Administrator role. Please refer to the Tachyon connector page for more details. You only require to configure the connector, you do not need to schedule or run the Tachyon connector unless you also want to collect data from clients.

To take advantage of your Configuration Manager database and pull in its inventory and usage data, you'll need to configure a System Center Configuration Manager connector in your Tachyon system.

Creating direct-based Management Groups

Direct-based Management Groups are created using scripts. Two sample PowerShell scripts are provided.

  • Each script creates a new log file in the same folder, with file name format as <scriptname>_<ddMMyyyyhhmmss>.log which must be deleted manually.
  • If a Management Group already exists with the same name, the script will delete and recreate it, only with the new devices provided
  • If the file or collection includes a device that is not present in the Tachyon Inventory repository, then it is ignored, and logged
  • After a successful run, the script triggers a Management Group sync.

Once imported into Tachyon, your direct-based Management Groups will be added as child groups of the default All Devices Management Group.

Prerequisites

  • User must have read/write permission in the folder where the PowerShell script is present
  • User must use UseCustomCredentials parameter if the current logged-in user does not have permission in Tachyon to create Management Groups
  • If Windows Task Scheduler is used to run a script, then the scheduled task should provide the current logged-in user.

Create Direct-based Management Groups from a file

Click here to download - Create-DirectManagementGroupUsingFile.ps1

Create-DirectManagementGroupUsingFile.ps1
<#
.SYNOPSIS
1E Tachyon – Create Direct Management Group
Copyright © 1e Ltd 2021 - all rights reserved
http://www.1e.com

Version 1.5

Disclaimer
Your use of this software is at your sole risk. All software is provided "as-is", without any warranty, whether express or implied, of accuracy, completeness,
fitness for a particular purpose, title or non-infringement, and none of the software is supported or guaranteed by 1E. 1E shall not be liable for any damages
you may sustain by using this software, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such
damages.

If you have an issue using this software, please ensure you are using an unmodified version before contacting 1E Support.


.DESCRIPTION
This script reads the Device FQDN list in files and creates Direct Membership Management Groups through SLA/Tachyon APIs. If the group does not exist
it is created and devices are added. If the group exists, the existing devices are deleted and new devices are added.


.PARAMETER TachyonApiBaseUrl
Mandatory parameter.  The header name used to access the Tachyon web service.  Should match the header listed in the IIS bindings on the Tachyon server.

.PARAMETER FolderPath
Mandatory parameter.  The name of the input folder which contains the files to be used in creating Direct Membership Management Groups. These files contain 
the list of devices to be used in creating Management Groups.  The File name should be same as the name of Name of Management Group. Also, the first line 
of the file should contain the description of Management Group to be created, from next line onwards every line contains the Device FQDN. 

.PARAMETER UseCustomCredentials
Optional switch.  If UseCustomCredentials is used, User will be prompted to enter the credentials, otherwise the script will use default credentials.


.EXAMPLE
.\Create-DirectManagementGroupUsingFile.ps1 -TachyonApiBaseUrl https://tachyon.lab.local -FolderPath C:\Temp\MgFolder

Scenario:
A Tachyon server is accessed using URL https://tachyon.lab.local/Tachyon using default credentials.  The files containing the Device FQDN list 
is in the directory C:\Temp\MyFolder.

.EXAMPLE
..\Create-DirectManagementGroupUsingFile.ps1 -TachyonApiBaseUrl https://tachyon.lab.local -FolderPath C:\Temp\MgFolder -UseCustomCredentials

Scenario:
A Tachyon server is accessed using URL https://tachyon.lab.local/Tachyon using different credentials other than current default credentials.  
The files containing the Device FQDN list is in the directory C:\Temp\MyFolder.

#>

param(
    [Parameter(Mandatory=$true, HelpMessage="Enter Tachyon API Base URL e.g. : https://tachyon.testlab.com")]
    [ValidateNotNullOrEmpty()]
    [string] $TachyonApiBaseUrl,

    [Parameter(Mandatory=$true, HelpMessage="Enter Folder Path which contains files containing Device FQDN list")]
    [ValidateNotNullOrEmpty()]
    [string] $FolderPath,

    [Parameter(Mandatory=$false, HelpMessage="To use Custom Credentials other than windows default credentials")]
    [Switch] $UseCustomCredentials
)

$ScriptVersion = "1.5" # Update the script version here

function Write-Log {

    [CmdletBinding()]
    Param(
          [parameter(Mandatory=$true)]
          [String]$Path,

          [parameter(Mandatory=$true)]
          [String]$Message,

          [parameter(Mandatory=$true)]
          [String]$Component,

          [Parameter(Mandatory=$true)]
          [ValidateSet("Debug", "Info", "Message", "Warning", "Error")]
          [String]$Type
    )

    switch ($Type) {
        "Info" { [int]$Type = 1 }
        "Warning" { [int]$Type = 2 }
        "Error" { [int]$Type = 3 }
        "Debug" { [int]$Type = 4 }
        "Message" { [int]$Type = 5 }
    }

    # Create a log entry
    $Content = "<![LOG[$Message]LOG]!>" +`
        "<time=`"$(Get-Date -Format "HH:mm:ss.ffffff")`" " +`
        "date=`"$(Get-Date -Format "M-d-yyyy")`" " +`
        "component=`"$Component`" " +`
        "context=`"$([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)`" " +`
        "type=`"$Type`" " +`
        "thread=`"$([Threading.Thread]::CurrentThread.ManagedThreadId)`" " +`
        "file=`"`">"

    try {
        # Write the line to the log file
        Add-Content -Path $Path -Value $Content
    }
    catch {
        Write-Host "User does not have access to write log at path $Path"
        Write-Host $Message
    }

    if ($Type -eq 1) {
        Write-Host $Message -ForegroundColor Yellow
    }

    if ($Type -eq 3) {
        Write-Host $Message -ForegroundColor Red
    }

    if ($Type -eq 5) {
        Write-Host $Message
    }
}

function Invoke-DirectMgApi{
    [CmdletBinding()]
    Param(
          [parameter(Mandatory=$true)]
          [String]$uri,

          [parameter(Mandatory=$true)]
          [String]$payload,

          [parameter(Mandatory=$false)]
          [System.Management.Automation.PSCredential]$credential
    )

    $hdrs = @{
        "Accept" = "application/json"
        "Content-type" = "application/json"
        "X-Tachyon-Consumer" = "Platform"
    }

    try {
        $stopwatchApi =  [system.diagnostics.stopwatch]::StartNew()

        $Content = "Invoking API"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message

        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12

        if($credential){
            $response = Invoke-RestMethod -Method POST -Uri $uri -Body $payload -Credential $credential -Headers $hdrs
            $Content = "Response from API : $response"
            Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message
        }
        else {
            $response = Invoke-RestMethod -Method POST -Uri $uri -Body $payload -UseDefaultCredentials -Headers $hdrs
            $Content = "Response from API : $response"
            Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message
        }

        $stopwatchApi.Stop()
    
        $Content = "Time taken by API : $($stopwatchApi.Elapsed.TotalSeconds) seconds"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message   
    }
    catch {
        $err = $_

        $Content = "An error occured : $($err.Exception)"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error

        $Content = "Error Details : $($err)"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug
    }    
}

# Get the Current Directory
$CurrentDirectory = $PSScriptRoot

if ($UseCustomCredentials -eq $true) {
    $cred = Get-Credential
}

$LogFilePath = Join-Path $PSScriptRoot "$($MyInvocation.MyCommand.Name)_$(Get-Date -Format ddMMyyyyHHmmss).log"

$Content = "************************************************"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

$Content = "Starting script"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

$Content = "************************************************"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

$Content = "Running Script Version: " + $ScriptVersion
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

# Get the Current Directory

$Content = "Current Directory is " + $CurrentDirectory
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

$Content = "Tachyon API Base URL: " + $TachyonApiBaseUrl
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message

$Content = "Folder Path containing Device list files: " + $FolderPath
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message

$Content = "Verifying Folder Path : $FolderPath"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

if (!(Test-Path $FolderPath)) {
    $Content = "Folder path does not exist : $FolderPath"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error

    exit
}

$Content = "Fetching all supported files from folder"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug
$files = Get-ChildItem -Path $FolderPath -Filter *.txt

$Content = "Total Files in folder $FolderPath : $($files.Count)"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

foreach($file in $files)
{
    $fileFullPath = $file.FullName

    $Content = "Reading File : $fileFullPath"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message

    $stopwatchFileRead =  [system.diagnostics.stopwatch]::StartNew()
    
    $fqdnList = New-Object System.Collections.Generic.List[System.Object]

    foreach($line in [System.IO.File]::ReadLines($fileFullPath))
    {
        if($line -ne ""){
            $fqdnList.Add($line.Trim())
        }
    }

    if($fqdnList.Count -lt 2){
        $Content = "No device present in file"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error
        
        Continue
    }

    #File name is Management Group Name
    $MGName = $file.BaseName

    #First line of the file is the Management Group Description
    $MgDescription = $fqdnList[0]
    
    #Removing the first line from collection as it's MG description
    $fqdnList.RemoveAt(0)

    $payload = ConvertTo-Json $fqdnList

    $stopwatchFileRead.Stop()

    $Content = "Time taken in reading file : $($stopwatchFileRead.Elapsed.TotalSeconds) seconds"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug
    
    $Content = "Creating Management Group -"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Info
    
    $Content = "  Name : $MGName"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message
    
    $Content = "  Description : $MgDescription"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message
    
    $Content = "  Total Devices in file : $($fqdnList.Count)"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message
    
    #trimming any white space if any in the begining or end in url
    $TachyonApiBaseUrl = $TachyonApiBaseUrl.Trim()

    $uri = "$TachyonApiBaseUrl/admin/managementgroups/upload/$MGName/$MgDescription"

    $Content = "URI : $uri"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

    Invoke-DirectMgApi -uri $uri -payload $payload -Credential $cred
    
}

$Content = "Complete"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message

.\Create-DirectManagementGroupUsingFile.ps1 -TachyonApiBaseUrl https://tachyon.testlab.com -FolderPath C:\Temp\DeviceFolder -UseCustomCredentials
Parameter nameMandatoryDescription
TachyonApiBaseUrlYesTachyon Platform base URL, for example: https://tachyon.lab.local
FolderPathYesFolder path which contains files containing Device FQDN list
UseCustomCredentialsNoUse custom credentials (the script will prompt) otherwise current windows credentials will be used to call APIs.
  1. Create a folder which will contain text files to create Management Groups. This is the FolderPath passed as a parameter in the PowerShell script.
  2. Create text files in the above folder with the name same as Management Group(e.g. ManagementGroupName.txt)
    • Enter Management Group Description in first line
    • Enter one or more Device FQDN from second line onwards, one device per line.
  3. Optionally add more files if you want to create multiple Management Groups.
  4. Execute the PowerShell script.

To ensure all devices are present in the Tachyon Inventory repository, ensure you have configured a connector for the inventory source you are using to create your device lists.

Create Direct-based Management Groups from a Configuration Manager collection

Click here to download - Create-DirectManagementGroupUsingCmCollection.ps1

Create-DirectManagementGroupUsingCmCollection.ps1
<#
.SYNOPSIS
1E Tachyon – Create Direct Management Group
Copyright © 1e Ltd 2021 - all rights reserved
http://www.1e.com

Version 1.5

Disclaimer
Your use of this software is at your sole risk. All software is provided "as-is", without any warranty, whether express or implied, of accuracy, completeness,
fitness for a particular purpose, title or non-infringement, and none of the software is supported or guaranteed by 1E. 1E shall not be liable for any damages
you may sustain by using this software, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such
damages.

If you have an issue using this software, please ensure you are using an unmodified version before contacting 1E Support.


.DESCRIPTION
This script reads the memberships of ConfigMgr Collections (Both Direct and Query based membership) and creates Direct Membership Management
Groups through SLA/Tachyon APIs. If the group does not exist it is created, and devices are added. If the group exists, the existing devices 
are deleted and new devices are added. The script is designed to run from the ConfigMgr server It queries WMI and gets the information 
necessary to connect to the ConfigMgr's site namespace.


.PARAMETER TachyonApiBaseUrl
Mandatory parameter.  The header name used to access the Tachyon web service.  Should match the header listed in the IIS bindings on the Tachyon server.

.PARAMETER FilePath
Mandatory parameter.  The name of the input file which contains the list of collections to be used in creating Direct Membership Management Groups.  Each line in file 
contains Collection Name, Management Group Name, and Management Group Description; all three values separated by a comma.
e.g.
Collection 1,Management Group 1, Management Group 1 Description
Collection 2,Management Group 2, Management Group 2 Description

.PARAMETER UseCustomCredentials
Optional switch.  If UseCustomCredentials is used, User will be prompted to enter the credentials, otherwise the script will use default credentials.

.EXAMPLE
.\Create-DirectManagementGroupUsingCmCollection.ps1 -TachyonApiBaseUrl https://tachyon.lab.local -FilePath C:\Temp\Collection.txt

Scenario:
A Tachyon server is accessed using URL https://tachyon.lab.local/Tachyon using default credentials.  The file containing the list of collections to process  
is in the location C:\Temp\Collection.txt.

.EXAMPLE
..\Create-DirectManagementGroupUsingCmCollection.ps1 -TachyonApiBaseUrl https://tachyon.lab.local -FilePath C:\Temp\Collection.txt -UseCustomCredentials

Scenario:
A Tachyon server is accessed using URL https://tachyon.lab.local/Tachyon using different credentials other than current default credentials.  
The file containing the list of collections to process is in the location C:\Temp\Collection.txt.

#>


param(
    [Parameter(Mandatory=$true, HelpMessage="Enter Tachyon API Base URL e.g. : https://tachyon.testlab.com")]
    [ValidateNotNullOrEmpty()]
    [string] $TachyonApiBaseUrl,

    [Parameter(Mandatory=$true, HelpMessage="Enter File Path which contains collection details in csv format. The file should contain Collection Name, Management Group Name, and Management Group Description")]
    [ValidateNotNullOrEmpty()]
    [string] $FilePath,

    [Parameter(Mandatory=$false, HelpMessage="To use Custom Credentials other than windows default credentials")]
    [Switch] $UseCustomCredentials
)

$ScriptVersion = "1.5" # Update the script version here

function Write-log {

    [CmdletBinding()]
    Param(
          [parameter(Mandatory=$true)]
          [String]$Path,

          [parameter(Mandatory=$true)]
          [String]$Message,

          [parameter(Mandatory=$true)]
          [String]$Component,

          [Parameter(Mandatory=$true)]
          [ValidateSet("Debug", "Info", "Message", "Warning", "Error")]
          [String]$Type
    )

    switch ($Type) {
        "Info" { [int]$Type = 1 }
        "Warning" { [int]$Type = 2 }
        "Error" { [int]$Type = 3 }
        "Debug" { [int]$Type = 4 }
        "Message" { [int]$Type = 5 }
    }

    # Create a log entry
    $Content = "<![LOG[$Message]LOG]!>" +`
        "<time=`"$(Get-Date -Format "HH:mm:ss.ffffff")`" " +`
        "date=`"$(Get-Date -Format "M-d-yyyy")`" " +`
        "component=`"$Component`" " +`
        "context=`"$([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)`" " +`
        "type=`"$Type`" " +`
        "thread=`"$([Threading.Thread]::CurrentThread.ManagedThreadId)`" " +`
        "file=`"`">"

    try {
        # Write the line to the log file
        Add-Content -Path $Path -Value $Content
    }
    catch {
        Write-Host "User does not have access to write log at path $Path" -ForegroundColor Yellow
        Write-Host $Message
    }

    if ($Type -eq 1) {
        Write-Host $Message -ForegroundColor Yellow
    }

    if ($Type -eq 3) {
        Write-Host $Message -ForegroundColor Red
    }

    if ($Type -eq 5) {
        Write-Host $Message
    }
}

function Invoke-DirectMgApi{
    [CmdletBinding()]
    Param(
          [parameter(Mandatory=$true)]
          [String]$uri,

          [parameter(Mandatory=$true)]
          [String]$payload,

          [parameter(Mandatory=$false)]
          [System.Management.Automation.PSCredential]$credential
    )

    $hdrs = @{
        "Accept" = "application/json"
        "Content-type" = "application/json"
        "X-Tachyon-Consumer" = "Platform"
    }

    try {
        $stopwatchApi =  [system.diagnostics.stopwatch]::StartNew()

        $Content = "Invoking API"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message

        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls12

        if($credential){
            $response = Invoke-RestMethod -Method POST -Uri $uri -Body $payload -Credential $credential -Headers $hdrs
            $Content = "Response from API : $response"
            Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message
        }
        else {
            $response = Invoke-RestMethod -Method POST -Uri $uri -Body $payload -UseDefaultCredentials -Headers $hdrs
            $Content = "Response from API : $response"
            Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message
        }

        $stopwatchApi.Stop()
    
        $Content = "Time taken by API : $($stopwatchApi.Elapsed.TotalSeconds) seconds"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message   
    }
    catch {
        $err = $_

        $Content = "An error occured : $($err.Exception)"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error

        $Content = "Error Details : $($err)"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug
    }    
}

function Connect-ConfigMgrModule{
    try {
        # Load CM PowerShell Module

        if (-Not (Test-Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\AdminUI")) {
            $Content = "Configuration Manager not found. Pleaes verify if the machine has Configuration Manager installed."
            Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error
            exit
        }

        $CMConsolePath = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\ConfigMgr10\AdminUI" | Select-Object -expandProperty AdminUILog).Replace("\AdminUILog\", "")
        if ($CMConsolePath) {
            Import-Module -Name "$CMConsolePath\bin\ConfigurationManager.psd1"
            $Content = "Loaded ConfigurationManager.psd1 module"
            Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug
        }
        else {
            $Content = "ConfigurationManager.psd1 module not found. Pleaes verify if the machine has Configuration Manager installed."
            Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error
            exit
        }
        
        # Get the CM Site Code
        $CMSiteCode = Get-WMIObject -Namespace root\sms -Class SMS_ProviderLocation | Select-Object -expandproperty SiteCode

        if ($CMSiteCode -eq "") { 
            $Content = "Sitecode could not be determined."
            Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error
            exit
        }

        $Content = "ConfigMgr Site Code: " + $CMSiteCode
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message

        $CMLocation = $CMSiteCode + ":"

        $Content = "Setting Location : $CMLocation"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

        Push-Location

        Set-Location -Path $CMLocation
    }
    catch {
        $err = $_

        $Content = "An error occured while loading configuration manager module : $($err.Exception)"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error

        $Content = "Error Details : $($err)"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

        exit
    }

    
}

function Read-ConfigMgrDeviceCollection{
    [CmdletBinding()]
    Param(
          [parameter(Mandatory=$true)]
          [hashtable]$collectionList
    )

    try {
        $stopwatch =  [system.diagnostics.stopwatch]::StartNew()

        $arrCMCollList = Get-CMDeviceCollection | Select-Object -Property CollectionID,Name
        ForEach ($CMCollection IN $arrCMCollList){
            $CMCollName = $CMCollection.Name
            
            $Content = "Retrieved Collection Name from ConfigMgr: " + $CMCollName
            Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

            $CMCollId = $CMCollection.CollectionID

            If ($collectionList.ContainsKey($CMCollName)){

                $arrCollectionMembership = Get-CMCollectionMember -CollectionId $CMCollID | Select-Object -expandProperty Name
                If ($null -ne $arrCollectionMembership){
                    $Content = "Fetching Devices from Collection : " + $CMCollName
                    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message

                    $MgName = $collectionList["$CMCollName"][0]
                    $MgDescription = $collectionList["$CMCollName"][1]
                    
                    #Create File to save the device list, which later will be used to create MG
                    $MGFileName = $MgName + ".txt"
                    $MGFilePath = Join-Path $FolderPath $MGFileName
                    if (!(Test-Path $MGFilePath)){
                        $Content = New-Item -itemType File -Path $FolderPath -Name $MGFileName
                        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

                        $Content = "Created file $MGFilePath"
                        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

                        Add-Content -Path "$MGFilePath" -Value "$MgDescription"

                        $Content = "Added description $MgDescription"
                        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug
                    }
                    
                    ForEach ($CollMember IN $arrCollectionMembership){
                        $deviceDetails = Get-CMDevice -Name $CollMember -Resource | Select-Object Name,FullDomainName
                        $deviceFullName = $deviceDetails.Name + "." + $deviceDetails.FullDomainName
                        
                        $Content = "Adding device: " + $deviceFullName + " to MG File: " + $MgName
                        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

                        Add-Content -Path "$MGFilePath" -Value "$deviceFullName"
                    }
                }

            }
        }

        $stopwatch.Stop()

        $Content = "Time taken in reading devices from Collection : $($stopwatch.Elapsed.TotalSeconds) seconds"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message
        
        Pop-Location

        $Content = "Update location back to local drive"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

        $Content = "**********************"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message                                        
    }
    catch {
        $err = $_

        $Content = "An error occured while fetching devices : $($err.Exception)"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error

        $Content = "Error Details : $($err)"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

        exit
    }

   
}

# Get the Current Directory
$CurrentDirectory = $PSScriptRoot

#Temp Folder to contain list of devices which will be used to create MG
$MGFolderName = "MGDeviceList"
$FolderPath = Join-Path $CurrentDirectory $MGFolderName

if ($UseCustomCredentials -eq $true) {
    $cred = Get-Credential
}


$LogFilePath = Join-Path $CurrentDirectory "$($MyInvocation.MyCommand.Name)_$(Get-Date -Format ddMMyyyyHHmmss).log"


$Content = "************************************************"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

$Content = "Starting Script"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

$Content = "************************************************"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

$Content = "Running Script Version: " + $ScriptVersion
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

$Content = "Current Directory is: " + $CurrentDirectory
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

$Content = "Tachyon API Base URL: " + $TachyonApiBaseUrl
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message

$Content = "File Path containing CM Collection list: " + $FilePath
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message

$Content = "Temp Folder Path to save Device List: " + $FolderPath
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message


$Content = "Verifying File Path : $FilePath"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

if (!(Test-Path $FilePath)) {
    $Content = "File path does not exist : $FilePath"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error

    exit
}

try {
    if (!(Test-Path $FolderPath)) {
        $Content = "Creating temp folder : $FolderPath"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug
    
        $Content = New-Item -Path "$CurrentDirectory" -Name $MGFolderName -ItemType "directory"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug
    }
    else{
        $Content = "Deleting existing MG files from $FolderPath"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug
    
        # Delete Collection Membership List Files
        Remove-Item -Path "$FolderPath\*.*"
    }
}
catch {
    $Content = "User does not have permission to create : $FolderPath"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error

    exit
}

# Read Collection Details from File
$Content = "Reading collection details from $FilePath"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message

$collectionList = @{}

foreach($line in [System.IO.File]::ReadLines($FilePath))
{
    if($line -ne ""){
        $collectionDetails = $line.Split(",")
        if($collectionDetails.Count -lt 3){
            $Content = "Input data not in correct format. It should contain <CollectionName>,<MGName>,<MGDescription>"
            Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error
            exit
        }
        $collectionList.Add($collectionDetails[0],@($collectionDetails[1],$collectionDetails[2]))
    }
}

if($collectionList.Count -lt 1){
    $Content = "No collection details present in file"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error
    
    exit
}

#Loading Config Manager Powershell Modules
Connect-ConfigMgrModule

#Read Device Collections from Config Manager and prepare device list in temp folder which will be used to create 
Read-ConfigMgrDeviceCollection -collectionList $collectionList

$Content = "Verifying Folder Path : $FolderPath"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

if (!(Test-Path $FolderPath)) {
    $Content = "Folder path does not exist : $FolderPath"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error

    exit
}

$Content = "Fetching all files from folder"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug
$files = Get-ChildItem -Path $FolderPath -Filter *.txt


$Content = "Total Files in folder $FolderPath : $($files.Count)"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

foreach($file in $files)
{
    $fileFullPath = $file.FullName

    $Content = "Reading File : $fileFullPath"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message

    $stopwatchFileRead =  [system.diagnostics.stopwatch]::StartNew()

    $fqdnList = New-Object System.Collections.Generic.List[System.Object]

    foreach($line in [System.IO.File]::ReadLines($fileFullPath))
    {
        if($line -ne ""){
            $fqdnList.Add($line)
        }
    }

    if($fqdnList.Count -lt 2){
        $Content = "No device present in file"
        Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Error
        
        Continue
    }

    #File name is Management Group Name
    $MGName = $file.BaseName

    #First line of the file is the Management Group Description
    $MgDescription = $fqdnList[0]
    
    #Removing the first line from collection as it's MG description
    $fqdnList.RemoveAt(0)

    $payload = ConvertTo-Json $fqdnList

    $stopwatchFileRead.Stop()

    $Content = "Time taken in reading file : $($stopwatchFileRead.Elapsed.TotalSeconds) seconds"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug
   
    $Content = "Creating Management Group -"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Info
    
    $Content = "  Name : $MGName"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message
    
    $Content = "  Description : $MgDescription"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message
    
    $Content = "  Total Devices in file : $($fqdnList.Count)"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message
    
    #trimming any white space if any in the begining or end in url
    $TachyonApiBaseUrl = $TachyonApiBaseUrl.Trim()

    $uri = "$TachyonApiBaseUrl/admin/managementgroups/upload/$MGName/$MgDescription"

    $Content = "URI : $uri"
    Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Debug

    Invoke-DirectMgApi -uri $uri -payload $payload -Credential $cred
}

$Content = "Complete"
Write-Log -Path $LogFilePath -Message $Content -Component $MyInvocation.MyCommand.Name -Type Message

.\Create-DirectManagementGroupUsingCmCollection.ps1 -TachyonApiBaseUrl https://tachyon.testlab.com -FilePath C:\Temp\Collection.txt -UseCustomCredentials
Parameter nameMandatoryDescription
TachyonApiBaseUrlYesTachyon Platform base URL, for example: https://tachyon.lab.local">https://tachyon.lab.local
FilePathYesFile path, which contains details of CM Collections.
UseCustomCredentialsNoUse custom credentials (the script will prompt) otherwise current windows credentials will be used to call APIs.
  1. Create a text file which will be passed as a parameter in PowerShell script.
  2. In the file enter the following as a comma separated single line: Collection name, Management Group Name, Management Group Description
  3. Optionally, enter more lines in the same format if you want to create multiple Management Groups.
  4. Execute the PowerShell script.

This script is designed to be run on the Configuration Manager Site server.

To ensure all CM devices are present in the Tachyon Inventory repository, ensure you have a System Center Configuration Manager connector and run its Data Sync action to populate the repository.

Working with direct-based Management Groups

Given the information provided in Creating direct-based Management Groups we can now give an example of how direct-based Management Groups can be added.

Before adding the direct-based Management Groups

In our example, we do not have any Management Groups except the default All Devices group with a total of all seven devices in our network, as shown in the picture opposite.

Once imported into Tachyon, your direct-based Management Groups will be added as child groups of the default All Devices Management Group.

The device files

We've created a C:\Sources\DeviceFolder folder and added two files, All Managed Windows 10 Devices.txt and All Managed Windows 7 Devices.txt that contain a list of device FQDN on separate lines.

We have also added the Create-DirectManagementGroupUsingCmCollection.ps1 script to this folder, in our example we'll run the script from the same folder as the text files.

Unlike Rule based Management Groups, once a direct based Management Group is added to Tachyon, you cannot later change the name. 

To distinguish your direct-based Management Groups from your rule based groups, you should give them a meaningful naming convention, for the purposes of our example we have just used All Managed Windows as a prefix to indicate them.

All Managed Windows 7 Devices FQDN

 All Managed Windows 10 Devices FQDN

Running the script to populate the direct-based Management Groups

With the device files in place, in our example, we run the Create-DirectManagementGroupUsingFile.ps1 file with the following command-line:

.\Create-DirectManagementGroupUsingFile.ps1 -TachyonApiBaseUrl https://tachyon.testlab.com -FolderPath C:\Temp\DeviceFolder -UseCustomCredentials

Where the TachyonApiBaseUrl is set to our example instance of  https://tachyon.1etrn.local  and the -FolderPath is set to the C:\Sources\DeviceFolder we set up earlier.

We don't bother with the UseCustomCredentials setting as the account we are running the script with has administrator permissions in Tachyon.

Checking the log file for Create-DirectManagementGroupUsingFile.ps1

After running the script you will find a log file is created in the same directory where the Create-DirectManagementGroupUsingFile.ps1 is located. In our example we can see that the script completed without errors.

The reports for creating and enabling the direct-based Management Groups

When the direct-based Management Groups are added to Tachyon some reports will run to enable the Management Groups to be used.

If more than one direct-based Management Groups are being added you will see two Management Group Evaluation reports run on the default Inventory repository. You will also see an additional Management Group Evaluation report run on each additional non-default inventory repositories you have in your system.

If you have Application Migration installed you will also see two Application Migration Consolidation reports run on the default ApplicationMigration repository.

In our example we have Application Migration installed, so we see four reports run when the DB Management Groups are added. Two Management Group Evaluation reports and two Application Migration Consolidation reports, as can be seen in the picture opposite.

The direct-based Management Groups added

After running the script, two new direct-based Management Groups get added:

  • All Managed Windows 10 Devices.txt
  • All Managed Windows 7 Devices.txt

You can drill down to see the details of a Management Group by clicking the Name link.

Direct based management groups added

Clicking on the All Managed Windows 10 Devices.txt  Management Group name link displays the details for that Management Group. Here, you can view group members, export the membership as a .TSV file or add Child Management Groups as required.

You can use the Inventory→Hardware Inventory page with the Management Group selector set to the name of the Management Group, to view every device contained in the new Management Group.

Working with rule-based Management Groups

Rule-based Management Groups are defined and maintained in the SettingsPermissions→Management Groups page. They use device inventory data gathered from data sources by connectors and use Management Groups to control how instructions are applied in Tachyon applications. All child Management Groups must be created under the default All Devices Management Group.

From Tachyon 8.0 you can easily create complex Management Group definitions by building rules for them, you'll find this in the Rules section of each Management Group. In the Rules section, you can define parameters that determine what devices are members of your Management Groups. The rules you create can be as simple as defining membership according to the OU path in your AD, or as complex as adding groups of rules that narrow membership down to details like Processor Matched Threads per Core. You can also use device or software tags that you have created to define Management Group membership, or a combination of all these parameters.

By default, in a new installation of Tachyon, all devices are members of the All Devices group. If you have upgraded from a previous version of Tachyon, your previously created Management Group will be preserved and will become a child Management Group of All Devices Management Group.

From Tachyon 8.0 you can create Child Management Groups and nest them into a Hierarchy Structure where child Management Groups inherit rules from their parent groups.

Using child Management Groups you could create by hand a Management Group structure which mirrors your Configuration Manager collections, or divide your Management Groups by device type, for example into servers and workstations. You can use the delegation feature to create Management Groups that mirror your organizational structure with associated delegated roles.

To find out how to use scripts to import a Management Group structure from a file or from Configuration Manager collection, refer to Creating direct-based Management Groups

Refer to Management Groups - tutorial for a conceptual example of how you might create a Hierarchy Structure, and  for details about how you can use the delegation feature.

The following sections walk through the basic steps required to:

All Devices management group

Creating a rule-based Management Group

In this example we will create a Management Group for devices that are based in a different office location, this location contains Windows 7 devices and is named Sales. The new Management Group is going to be a child group of the All Devices group.

To create the rule-based Management Group:

  1. Navigate to the Settings→Permissions→Management Groups page.
  2. Click the Add Child button to display the new Management Group template.
  3. Enter a suitable Name for the Management Group. For example Sales.
  4. Add a Description, it's a good idea to use a description that provides an outline of the rules that are used to populate the Management Group. For example OU Path Contains Sales.
  5. To add each rule:
    1. Click on the Add rule button. The first one is already added, all you need to do is fill out the parts of the rule.
    2. First, you select the rule name and description, for example, OU Path.
    3. You then select the condition. For example Contains.
    4. To complete the rule you then set the value. For example Sales.
    5. Click Save.
  6. Repeat step 5 for each rule you want to define.
  7. When you have more than one rule added, you can:
    1. Use the gripper icon at the right-hand end of the rule to change the order the rules are applied by dragging the rule to a new place in the list.
    2. Change the conjunction operator at the left-hand end of the rule to select between AND and OR.
  8. When you have finished adding the rules, you need to decide whether you want the Management Group membership to be evaluated immediately on adding the Management Group. If you are just adding one Management Group, it makes sense to click the Evaluate button. If you are adding a number of Management Groups, it may be a good idea to leave Click the Evaluate All button at the top of the page.
  9. If you click Evaluate All and there is more than one inventory repository an additional control will be displayed prompting you to select which repository you want to evaluate the Management Group rules against.

The Management Group will be added to the Hierarchy Structure.

You can create nested groups of rules using the Add group button. For example, we want to narrow the devices in the Sales group to those devices with an Intel processer and an OS of Windows 7 as we want to upgrade this legacy OS.

Editing a management group

Rule builder extended

If you selected to evaluate rules immediately, the rules you set for the Management Group will be evaluated against the selected inventory repository.

To check how many devices are in the Management Group, switch to the Inventory app, select the Management Group name from the drop-down.

The picture opposite shows the details for the OU Path contains Sales Management Group, showing that it contains 2 devices.

Explorer Devices table

Once the Management Group rules have been evaluated, you should then be able to check the devices in Explorer contained in the group using the Explorer→Devices→Table page. The picture opposite shows the Devices table with the Management Group filter set to Sales.

Explorer Devices table

Editing a rule-based Management Group

To edit an existing rule-based Management Group:

  1. Navigate to the Settings→Permissions→Management Groups page.
  2. In the Management Groups table, locate the Management Group you want to edit and click the title at the left-hand end of its row in Hierarchy Structure.
  3. Here you can edit the Name, Description and Rules that define the Management Group.
  4. When you've finished editing, before you click the Save button you can click Evaluate, enables any modifications you've made to the rules to take effect right away. If you don't check the box, the rules won't be run, but you'll be able to evaluate the Management Groups later.

Editing a management group

Deleting a Management Group

The following applies to rule-based and direct-based Management Groups. 

To delete an existing Management Group:

  1. Navigate to the Settings→Permissions→Management Groups page.
  2. In the Management Groups table, locate the Management Group you want to delete and click the title at the left-hand end of its row in Hierarchy Structure.
  3. Click the Delete button. This displays the Delete Management Group popup.
  4. Here you are asked if you want to proceed with the delete process. Click the Yes, delete Management Group button to confirm the deletion, or No to cancel.

Evaluating Management Group membership

You can select to evaluate the Management Groups at any time.

  1. Navigate to the Settings→Permissions→Management Groups page.
  2. Click the Evaluate button.
  3. If there is only one inventory repository, the evaluation will be queued immediately. If there is more than one inventory repository, the Evaluate Management Groups popup will be displayed, and you will need to select a Repository then click the Evaluate button before the evaluation is queued.
  4. When an evaluation is queued you will see a Management Group Evaluation action appear on the Settings→Monitoring→Process log page. From there you can view the progress of the evaluation.
  5. When this action has run, the Explorer application will reflect any changes that have been made to the Management Group memberships.

Delegation in Tachyon

Delegation in Tachyon is, a concept where an administrator can delegate some of their own responsibility to other users and limit the area where they can use that responsibility. In Tachyon, a Full administrator can create and modify Roles. They can also assign any Role to a Tachyon user or group using Management Groups, there are exceptions, like the Group Administrator Role which cannot be assigned to All Devices.

For example, a local security administrator with the Group Administrator role cannot create or modify Roles, but they can assign any Role that is marked as delegatable to a Management Group they have the security permission on, or any of its child Management Groups.

The exception is that a local security administrator cannot assign a Role that has the same security permission using the same Management Group they have permissions on. Instead, they have to use a child Management Group of the one they have security permissions on.

Essentially, a local security administrator cannot create an assignment that would result in another Tachyon user or group having the same security permissions as they do.

Group Administrator permissions

Delegation example

In our example we have a new Tachyon installation with only a few assignments, the one shown in the picture is of the Full Administrator role which is assigned to the group All_Devices_Full_Administrator and is assigned to All Devices. We have used a group to control the assignment instead of an individual user account.

All_Devices_Full_Administrator

In our example, we want to use the delegation feature of Tachyon and use the Group Administrator role to delegate some tasks to a child Management Group of All Devices called Servers to another administrator.

We'll assign the Group Administrator role to a Universal AD group called Server_Group_Administrator which we have added to Tachyon using the Users and Groups page.

To add the new assignment:

  1. On the  Settings→Permissions→Assignments  page, we click on the title of the role to configure, in this case Group Administrator this displays the  Assignments  page focused on that role.
  2. Clicking the plus sign button allows us to add our group, Server_Group_Administrator and the associated Management Group, Servers.
  3. Once we've selected the group and Management Group, we click the  Save  button.

 Server_Group_Administrator

When a user in the Server_Group_Administrator group signs in to Tachyon, they will be able to create a child Management Group. For example a subset of the Servers Management Group for application servers called App servers, other Management Groups at the same level are locked because the Server_Group_Administrator has not been applied to those Management Groups.

If, for example, our Server_Group_Administrator now wants to add a user with the All Instructions Questioner role to the new App servers Management Group, they can now do so.

For a complete reference table of Tachyon roles, please refer to the  Roles and Securables  page.

This page contains a full list of roles, their associated permissions, whether each role is delegatable and notes indicating if the role is new in 8.0 or renamed for the Tachyon 8.0 release.

RoleDescription
System rolesSystem roles are built-in and are not configurable, however they can be assigned to users the same as any other role.
Custom rolesCustom roles can be used to define who is able to use specific Instruction Sets to ask questions, run actions or approve actions.
Securables and operationsA Permission is one or more Operations for a Securable. The remit for a Securable is either Localized or Global. A Role that has only Localized permissions can be delegated.

Group Administrator permissions applied

App servers management group

Management Group rules and conditions

In computing, a Boolean result means an expression is either true (1) or false (0). That is, expressions such as A AND B or A OR B give you a true or false result.  Boolean expressions can be much more complex, and you can use brackets (groupings) to keep the same operators together, for example A AND B AND C.  You would not write an expression such as A AND B OR C because it is ambiguous. It can be interpreted as either A AND (B OR C) or (A AND B) OR C.

When you are building rules, and you get different results to the ones you expect, write down each of your rules as A, B, C etc, and put them into a simple Boolean expression, like A OR (A AND B) = A.

This is perhaps the most important point to remember when building Management Group rules, and why it helps to write down what you are trying to achieve as a Boolean expression, then simplify it. The Rule examples section has some simple examples of how Boolean expressions translates to the rules you can apply to your own Management Groups.

Rule layout

The rows in the Rules section are laid out as follows:

ConjunctionRule NameOperatorsValueDeleteGripper

When there is more than one rule, this field determines how it is evaluated with the other rules. This may be one of:

ConjunctionDescription
ANDThis rule must be satisfied as well as any other rules.
OREither this rule must be satisfied or any other rules.

Determines the type of information checked when evaluating the rule.

For example, selecting Device Computer Name will specify checking the set value against the information held internally for each device's computer name using the selected operand.

Please refer to List of available rules below.

How the value compares against the type of information.

This may be one of the following:

OperatorAttribute typeComparison 
Equal toString, Date, Number, Yes/NoYour value is exactly equal to the device’s value.
Not Equal toString, Date, NumberYour value is not equal to (different to) the device’s value.
BeforeDateYour date is before the device’s date.
AfterDateYour date is after the device’s date.
Begins withStringThe device’s value begins with your value.
Ends withStringThe device’s value ends with your value.
Less thanNumberYour value is less than the device’s value.
Less than or equal toNumberYour value is less than or equal to the device’s value.
Greater thanNumberYour value is greater than the device’s value.
Greater than or equal toNumberYour value is greater than or equal to the device’s value.
Is one ofTagThe specified Device tag exists on the device, and its value is one of the array of alternative values that you specified.
Is not one ofTagThe specified Device tag exists on the device, and its value is not one of the array of alternative values that you specified.
Is NullString, Date, Number, TagThe device does not provide this information. If you have specified a Device tag, it does not exist on the device.
Is not NullString, Date, Number, TagThe device provides this information, but it can be any value. If you have specified a Device tag, it exists on the device, set to any value.
ContainsStringThe device’s value contains your text string.
Not ContainsStringThe device’s value does not contain your text string.

The value field is either a string, date, or numeric value, depending on the chosen rule name.

It may also be a Device tag. For more information about Deice tags, please refer to Device Tags page.

This field contains an icon that lets you delete the rule.This field lets you grab the rule and change its order where there is more than one rule.

Rule examples

The following examples may help to illustrate the logic underpinning the rules you can build and apply to the Management Groups in your environment.

Rule example 1

"Device Netbios Name begins with 1ETRNW" OR ("Device Netbios Name begins with 1ETRNW" AND "Device Netbios Name begins with 1ETRN")

Is the same as saying:

"Device Netbios Name begins with 1ETRNW"

You could reduce this to the statement:

A OR (A AND B) = A

In our environment, this returns all five workstation devices with the NetBIOS name beginning 1ETRNW.

Rule example 1

Rule example 2

"Device Netbios Name contains 101" OR ("Device Netbios Name Contains 101" AND "Device Netbios Name Contains 71")

Is the same as:

"Device Netbios Name Contains 101"

Rule example 2

You could reverse the logic in the statement and say:

"Device Netbios name Contains 101" AND ("Device Netbios name Contains 101" OR "Device Netbios name Contains 71")

Which is the same as:

"Device Netbios Name Contains 101"

You could reduce this to the statement: 

A AND (A OR B) = A

In our environment, this returns one workstation device with the NetBIOS name contains 101, which matches one device, 1ETRNW101.

Rule example 2b

Rule example 3

Management Group rules do not let you place a Boolean NOT operator around a grouping, but you can convert an expression into NOT rules, for example:

NOT ("Device Netbios Name Contains AP" OR "Device Netbios Name Contains CM")

Using rules, you can express this as:

"Device Netbios Name Not contains AP" AND "Device Netbios Name Not contains CM"

You could reduce this to the statement:

NOT (A OR B) = (NOT A) AND (NOT B)

In our environment this returns the six devices where the NetBIOS name does not contain AP or CM, which are 1ETRNAP, our application server, and 1ETRNCM, our Configuration Manager server.

Rule example 3

List of available rules


Rules used to create Management Groups, and which connectors that provide the data to support the rules.

For details of how to create and use Management Groups, please refer to Management Groups page.

The number of rules that a single Management Group can contain is variable because of many factors including SQL Server version, server configuration and rule type used. 1E recommends not exceeding 10,000 rules per rule-based Management Group.

Rule nameDescriptionSCCMServiceNowTachyonOracleLMSBigFixBigFixInvIntunevCenterWSUS
Device ADSite NameAD Site the device is connected to.(tick)(tick)






Device Assigned Cores

Maximum number of assigned cores for the device.

Derived from 

(tick)(tick)(tick)(tick)(tick)

(tick)
Device Classification

Classification of the device. For example, Test, Production or Development.

Production is the default.
(tick)(tick)
(tick)




Device Computer NameHostname of the computer.(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
Device Criticality

By default, Device Criticality is set as one of the following, as described in Tachyon Explorer 8.0: Using Device Criticality.

  • Undefined
  • Non-critical
  • Low
  • Medium
  • High
  • Critical.
(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)(tick)
Device Domain NameDomain the device is installed on.(tick)(tick)(tick)

(tick)


Device Inventory dateDate that the device was last updated.(tick)(tick)(tick)(tick)

(tick)(tick)(tick)
Device Matched Device TypeNormalized device type based on chassis type. For example Desktop.(tick)(tick)(tick)(tick)(tick)
(tick)(tick)(tick)
Device Matched FamilyNormalized family of the device. For example, Aspire.(tick)(tick)(tick)(tick)(tick)

(tick)
Device Matched ModelNormalized model of the device. For example, A30.(tick)(tick)(tick)(tick)(tick)
(tick)(tick)(tick)
Device Matched Socket countNormalized socket count of the device. For example, 1.(tick)(tick)(tick)(tick)(tick)
(tick)(tick)(tick)
Device Matched VendorNormalized vendor name of the device. For example, Acer Inc..(tick)(tick)(tick)(tick)(tick)
(tick)(tick)(tick)
Device Netbios Domain nameNetBIOS version of the device's domain name.(tick)(tick)(tick)





Device Netbios NameNetBIOS version of the device name.(tick)(tick)(tick)



(tick)
Device OSThe normalized product title of the OS that is running on the device.(tick)(tick)(tick)
(tick)(tick)
(tick)
Device Purchase dateDate that the device was purchased.(tick)(tick)






Device SerialSerial number of the computer.(tick)(tick)


(tick)(tick)

Device User Primary Username

The primary user of the device. 

(tick)
(tick)





OU Name (Deprecated)

Name of the OU that the device is in. For example Sales.

All OUs with the same name will be used, therefore the OU Path rule should be used instead. The OU Name rule is deprecated and should be re-defined using OU Path.

This rule is deprecated, which means it will continue to work until it is removed in a future version of Tachyon.

(tick)(tick)






OU Path

The name or path of the OU location in the AD hierarchy, using pipe | as the delimiter.

For example, to get all the computers in OU=Sales, OU=Workstations, DC=acme, DC=local you can either specify Sales or - if there is more than one OU called Sales in the AD structure - specify the whole path acme.local|Workstations|Sales. Note that the DC and OU parts of a distinguished name are treated differently.

(tick)(tick)






Processor Matched Chip Module CountNormalized chip module count of the processor. For example, 1.(tick)(tick)(tick)(tick)(tick)



Processor Matched Core CountNormalized core count of the processor. For example, 2.(tick)(tick)(tick)(tick)(tick)

(tick)
Processor Matched FamilyNormalized family name of the processor. For example, Athlon 64 X2.(tick)(tick)(tick)(tick)(tick)

(tick)
Processor Matched ModelNormalized model name of the processor. For example, 3250e.(tick)(tick)(tick)(tick)(tick)

(tick)
Processor Matched Processor TypeNormalized type of the processor. For example, Desktop.(tick)(tick)(tick)(tick)(tick)

(tick)
Processor Matched Release DateNormalized release date of the processor. For example, 31-03-2008.(tick)(tick)(tick)(tick)(tick)

(tick)
Processor Matched Speed M HzNormalized speed of the processor. For example, 2.100.(tick)(tick)(tick)(tick)(tick)

(tick)
Processor Matched Threads per CoreNormalized threads per core of the processor. For example, 1.(tick)(tick)(tick)(tick)(tick)

(tick)
Processor Matched VendorNormalized vendor name of the processor. For example, Advanced Micro Devices, Inc.(tick)(tick)(tick)(tick)(tick)

(tick)
Product Catalog Colloquial Version

Software colloquial version contained in the inventory source. For example, 2012.

This will usually be blank.
(tick)(tick)


(tick)(tick)

Product Catalog Edition

Software edition contained in the inventory source. For example, Standard.

This will usually be blank in SCCM unless the relevant MOF extensions have been installed.
(tick)(tick)(tick)

(tick)(tick)

Product Catalog Is Partial Version MatchedFlag that indicates whether the software title was partial matched or not (TRUE/1) or not (FALSE/0).(tick)(tick)(tick)(tick)(tick)(tick)(tick)

Product Catalog Matched Colloquial VersionNormalized software colloquial version. For example, 2016.(tick)(tick)(tick)(tick)(tick)(tick)(tick)

Product Catalog Matched EditionNormalized software edition. For example, Standard.(tick)(tick)(tick)(tick)(tick)(tick)(tick)

Product Catalog Matched End of SupportNormalized software end of support date that of that version. For example, 31-10-2008.(tick)(tick)(tick)(tick)(tick)(tick)(tick)

Product Catalog Matched is BundleFlag indicating whether the normalized software is a bundle (TRUE/1) or not (FALSE/0).(tick)(tick)(tick)(tick)(tick)(tick)(tick)

Product Catalog Matched Is License RequiredFlag indicating whether that normalized software title requires a license (TRUE/1) or not (FALSE/0).(tick)(tick)(tick)(tick)(tick)(tick)(tick)

Product Catalog Matched Release DateNormalized software release date of that version. For example, 31-10-2008.(tick)(tick)(tick)(tick)(tick)(tick)(tick)

Product Catalog Matched TitleNormalized software title. For example, Office.(tick)(tick)(tick)(tick)(tick)(tick)(tick)

Product Catalog Matched VendorNormalized software vendor name. For example, Microsoft Corporation.(tick)(tick)(tick)(tick)(tick)(tick)(tick)

Product Catalog Matched VersionNormalized software version. For example, 10.2.233.(tick)(tick)(tick)(tick)(tick)(tick)(tick)

Product Catalog TitleSoftware title contained in the inventory source. For example, Office Standard en_pack.(tick)(tick)(tick)(tick)(tick)(tick)(tick)

Product Catalog UN Standard Product Service CodeUNSPC code of the normalized software title.(tick)(tick)(tick)(tick)(tick)(tick)(tick)

Product Catalog VendorSoftware vendor name contained in the inventory source. For example, Microsoft.(tick)(tick)(tick)
(tick)(tick)(tick)

Product Catalog VersionSoftware version number contained in the inventory source. For example, 10.2.233.(tick)(tick)(tick)(tick)(tick)(tick)(tick)

Product Install DateDate that software installation was installed according to the inventory source.(tick)
(tick)





Product Instance NameInstance name if used by a product, for example MSSQLSERVER for SQL Server.(tick)(tick)(tick)(tick)(tick)



Product Last Used dateDate that software installation was last run according to the inventory source.(tick)
(tick)





Product Usage CategoryUsage category assigned to a specific installation of a  normalized software title. Potential categories are:
- Used
- Unused
- Rarely used
- Unreported
(tick)(tick)(tick)(tick)