Device Groups
Device Groups let you organize VPN app devices into logical collections and apply routing policies at the group level. Instead of configuring each device individually, assign it to a group and the group's policies apply automatically.
Navigate to Equipment > Device Groups in the sidebar.
Device Groups Page
Stat Cards
| Card | Description |
|---|---|
| Total Groups | Number of device groups |
| Total Devices | Sum of all devices across all groups |
| Empty Groups | Groups with no devices assigned |
| Policies Assigned | Total number of routing policy assignments across all groups |
Table Columns
| Column | Description |
|---|---|
| Group Name | Name and description of the group |
| Devices | Number of devices assigned |
| Policies | Number of routing policies assigned |
| Actions | Edit and Delete buttons |
Creating a Group
- Click Create Group.
- Fill in the form:
| Field | Required | Description |
|---|---|---|
| Group Name | Yes | A descriptive name (e.g., "Engineering Team") |
| Description | No | Additional details about the group's purpose |
| Routing Policies | No | Select from available globally-enabled routing policies |
- Click Create Group to save.
Routing Policy Assignment
The group creation/edit modal shows all globally-enabled routing policies (policies not tied to a specific edge). Each policy displays its name, description, and rule count.
Select the policies you want to apply to devices in this group. When a device is assigned to the group, these routing policies take effect.
Only globally-enabled routing policies appear in the group modal. Edge-specific policies are managed separately on each edge's configuration page.
Editing a Group
Click the Edit button on a group row to modify:
- Group name and description
- Routing policy assignments (add or remove policies)
Changes apply to all devices in the group.
Deleting a Group
Click the Delete button on a group row. If the group has devices assigned:
- The devices are unassigned from the group (not deleted)
- The devices lose their group-level routing policies
- The devices continue to function with their base VPN configuration
Assigning Devices to Groups
Devices can be assigned to groups in two ways:
From the Device Detail Page
- Open a device's detail page
- Click Change next to the Device Group field
- Select a group from the dropdown (or "Unassigned" to remove from all groups)
- Click Update Group
Via Default Device Group on App VPN Server
When configuring the App VPN server on an edge (WireGuard or IKEv2), you can set a Default Device Group. New devices connecting to that server are automatically assigned to the specified group.
Effect of Group Assignment
When a device is assigned to a group:
- The group's routing policies apply to the device's VPN connection
- The routing policies are visible on the device's detail page under "Routing Policies"
- If the device is removed from the group, the routing policies no longer apply
When a device is unassigned:
- Only globally-enabled routing policies (not tied to any group or edge) still apply
- The device detail page shows a hint to assign the device to a group for policy-based routing