MDM Device Group sync
Petros Amoiridis
Workbrew can sync Device Groups from a connected MDM provider. Synced groups mirror the groupings defined in your MDM, updating their membership automatically on a recurring schedule. This feature is available on Pro and Enterprise plans.
Supported providers
Each provider maps a different concept to Workbrew Device Groups. See MDM integration for provider setup and credential requirements.
| Provider | Synced as Device Groups |
|---|---|
| Jamf | Computer groups |
| Iru (formerly Kandji) | Tags |
| SimpleMDM | Assignment groups |
| Fleet | Labels |
| JumpCloud | System groups |
| Microsoft Intune | Security groups |
What gets synced
Device Groups
Each sync pulls the full list of groups from the MDM and reconciles them with existing synced groups in Workbrew. Groups that no longer exist in the MDM are detached (their MDM link is removed) and become editable like any manually created group.
Device membership
Devices are matched to their MDM counterparts using an MDM-assigned device identifier. On each sync, Workbrew adds Devices that appeared in the MDM group and removes Devices that are no longer in it, so the group's membership stays in sync with the MDM.
Sync schedule
| Trigger | Interval |
|---|---|
| Automatic (scheduled) | Every 6 hours |
| Manual (from the Workbrew Console) | On demand, with a 15-minute cooldown between syncs |
| MDM provider change | Immediately when the Workspace's MDM type is set or changed |
Only one sync runs per Workspace at a time.
Synced group behavior
Synced groups are marked as Managed by the MDM provider in the Workbrew Console. They differ from manually created groups in the following ways:
| Synced groups | Manual groups | |
|---|---|---|
| Name | Set by the MDM, updated on each sync | Editable |
| Device membership | Controlled by the MDM, updated on each sync | Editable |
| Policies and settings | Editable | Editable |
| Deletable from Workbrew | Yes | Yes |
If a synced group's name conflicts with an existing group, Workbrew appends the provider name (e.g. Engineering (Jamf)).
Sync errors
When a sync fails, the error is recorded against the Workspace and displayed in the Workbrew Console. Errors are categorized by type:
| Error type | Meaning |
|---|---|
| Unauthorized | The API token or credentials are invalid or expired |
| Forbidden | The credentials lack the required permissions |
| Not found | The MDM host or API endpoint could not be reached |
| Connection failed | A network or DNS error prevented the connection |
| SSL error | TLS certificate validation failed |
| Server error | The MDM provider returned a server-side error |
A failed sync does not modify existing synced groups. Previous group data is preserved until the next successful sync.
Related docs
- MDM integration - supported providers, credentials, and what connecting an MDM provides
- How MDM Device Group sync works - design decisions behind the sync mechanism
- How policies apply to Devices in multiple groups - how Workbrew resolves conflicting policies across Device Groups