diff --git a/admin_ui/index.html b/admin_ui/index.html
index ec21291..595e546 100644
--- a/admin_ui/index.html
+++ b/admin_ui/index.html
@@ -37,12 +37,8 @@
            hx-get="/admin/pages/strategies" hx-target="#main" hx-push-url="#strategies">Strategies</a>
         <a class="nav-link block px-3 py-1.5 text-sm rounded text-slate-300 hover:bg-slate-800"
            hx-get="/admin/pages/address-books" hx-target="#main" hx-push-url="#address-books">Address books</a>
-        <a class="nav-link block px-3 py-1.5 text-sm rounded text-slate-300 hover:bg-slate-800"
-           hx-get="/admin/pages/oidc" hx-target="#main" hx-push-url="#oidc">OIDC providers</a>
         <a class="nav-link block px-3 py-1.5 text-sm rounded text-slate-300 hover:bg-slate-800"
            hx-get="/admin/pages/audit" hx-target="#main" hx-push-url="#audit">Audit log</a>
-        <a class="nav-link block px-3 py-1.5 text-sm rounded text-slate-300 hover:bg-slate-800"
-           hx-get="/admin/pages/recordings" hx-target="#main" hx-push-url="#recordings">Recordings</a>
         <a class="nav-link block px-3 py-1.5 text-sm rounded text-slate-300 hover:bg-slate-800"
            hx-get="/admin/pages/deploy" hx-target="#main" hx-push-url="#deploy">Deploy</a>
       </nav>
diff --git a/src/api/admin/mod.rs b/src/api/admin/mod.rs
index 9808596..fd06cfc 100644
--- a/src/api/admin/mod.rs
+++ b/src/api/admin/mod.rs
@@ -121,6 +121,14 @@ pub fn build(state: Arc<crate::api::state::AppState>) -> Option<Router> {
             "/admin/pages/groups/:id/members/:user_id/remove",
             post(pages::groups::remove_member),
         )
+        .route(
+            "/admin/pages/groups/:id/peers/add",
+            post(pages::groups::add_peer),
+        )
+        .route(
+            "/admin/pages/groups/:id/peers/:peer_id/remove",
+            post(pages::groups::remove_peer),
+        )
         // Strategies
         .route(
             "/admin/pages/strategies/create",
@@ -181,7 +189,6 @@ pub fn build(state: Arc<crate::api::state::AppState>) -> Option<Router> {
             "/admin/pages/address-books/:guid/shares/:user_id/remove",
             post(pages::address_books::share_remove),
         )
-        .route("/admin/pages/oidc", get(pages::oidc::index))
         // Self-service profile — cookie-only, no admin gate.
         .route("/admin/pages/profile", get(pages::profile::index))
         .route(
@@ -204,8 +211,7 @@ pub fn build(state: Arc<crate::api::state::AppState>) -> Option<Router> {
             "/admin/pages/profile/totp/remove",
             post(pages::profile::totp_remove),
         )
-        .route("/admin/pages/audit", get(pages::audit::index))
-        .route("/admin/pages/recordings", get(pages::recordings::index));
+        .route("/admin/pages/audit", get(pages::audit::index));
     hbb_common::log::info!(
         "admin dashboard mounted at /admin (HTML embedded; --admin-ui-dir is informational)"
     );
diff --git a/src/api/admin/pages/deploy.rs b/src/api/admin/pages/deploy.rs
index 0195b61..e206bd1 100644
--- a/src/api/admin/pages/deploy.rs
+++ b/src/api/admin/pages/deploy.rs
@@ -253,12 +253,13 @@ fn render_result(host: &str, key: &str, api: &str, relay: &str, blob: &str) -> S
         licensed = licensed
     );
     let cmd_unix = format!("rustdesk --config {}", licensed);
+    let cmd_hello = format!("hello-agent.exe --install --config {}", blob);
 
     format!(
         r##"<section class="space-y-4 bg-slate-900 border border-slate-800 rounded-lg p-4">
   <header>
     <h3 class="text-sm font-semibold text-slate-200">Deployment artifact</h3>
-    <p class="text-xs text-slate-500 mt-1">Pick whichever path fits your rollout. Both produce the same client config.</p>
+    <p class="text-xs text-slate-500 mt-1">Pick whichever path fits your rollout. All three produce the same client config.</p>
   </header>
 
   <div>
@@ -274,6 +275,12 @@ fn render_result(host: &str, key: &str, api: &str, relay: &str, blob: &str) -> S
     {renamed_note}
   </div>
 
+  <div>
+    <label class="block text-xs font-medium text-slate-400 mb-1">C. HelloAgent (Windows, MDM one-liner)</label>
+    <pre class="text-xs bg-slate-950 border border-slate-800 rounded p-2 overflow-x-auto select-all whitespace-pre-wrap break-all">{cmd_hello}</pre>
+    <p class="text-xs text-slate-500 mt-1">Headless agent — registers the Windows service and imports this config in a single command. Run elevated.</p>
+  </div>
+
   <details class="text-xs text-slate-400">
     <summary class="cursor-pointer text-slate-300 select-none">Raw blob</summary>
     <pre class="mt-2 bg-slate-950 border border-slate-800 rounded p-2 overflow-x-auto select-all whitespace-pre-wrap break-all">{blob}</pre>
@@ -281,6 +288,7 @@ fn render_result(host: &str, key: &str, api: &str, relay: &str, blob: &str) -> S
 </section>"##,
         cmd_win = html_escape(&cmd_win),
         cmd_unix = html_escape(&cmd_unix),
+        cmd_hello = html_escape(&cmd_hello),
         renamed = html_escape(&renamed),
         renamed_note = renamed_note,
         blob = html_escape(blob),
diff --git a/src/api/admin/pages/groups.rs b/src/api/admin/pages/groups.rs
index 57b1c22..0c726c4 100644
--- a/src/api/admin/pages/groups.rs
+++ b/src/api/admin/pages/groups.rs
@@ -95,8 +95,78 @@ pub async fn remove_member(
     Ok(Html(render_full(&state).await?))
 }
 
+#[derive(Debug, Deserialize)]
+pub struct PeerForm {
+    pub peer_id: String,
+}
+
+pub async fn add_peer(
+    Extension(state): Extension<Arc<AppState>>,
+    admin: AuthedUser,
+    Path(id): Path<i64>,
+    Form(form): Form<PeerForm>,
+) -> Result<Html<String>, ApiError> {
+    require_admin(&admin)?;
+    let peer_id = form.peer_id.trim();
+    if peer_id.is_empty() {
+        return notice_then(&state, "error", "Device ID required").await;
+    }
+    let exists = state
+        .db
+        .peer_exists(peer_id)
+        .await
+        .map_err(|e| ApiError::Internal(e.to_string()))?;
+    if !exists {
+        return notice_then(
+            &state,
+            "error",
+            &format!("No device '{}' has reported in yet.", peer_id),
+        )
+        .await;
+    }
+    state
+        .db
+        .device_group_add_peer(id, peer_id)
+        .await
+        .map_err(|e| ApiError::Internal(e.to_string()))?;
+    Ok(Html(render_full(&state).await?))
+}
+
+pub async fn remove_peer(
+    Extension(state): Extension<Arc<AppState>>,
+    admin: AuthedUser,
+    Path((id, peer_id)): Path<(i64, String)>,
+) -> Result<Html<String>, ApiError> {
+    require_admin(&admin)?;
+    state
+        .db
+        .device_group_remove_peer(id, &peer_id)
+        .await
+        .map_err(|e| ApiError::Internal(e.to_string()))?;
+    Ok(Html(render_full(&state).await?))
+}
+
 // ---------- rendering ----------
 
+/// Minimal percent-encoder for path segments. Peer IDs are usually digits,
+/// but the schema allows arbitrary text — encode anything outside the
+/// unreserved set so a literal `/` or `?` in a peer id can't break routing.
+fn url_encode(s: &str) -> String {
+    let mut out = String::with_capacity(s.len());
+    for b in s.as_bytes() {
+        match b {
+            b'A'..=b'Z' | b'a'..=b'z' | b'0'..=b'9' | b'-' | b'_' | b'.' | b'~' => {
+                out.push(*b as char);
+            }
+            _ => {
+                use std::fmt::Write;
+                let _ = write!(out, "%{:02X}", b);
+            }
+        }
+    }
+    out
+}
+
 async fn notice_then(
     state: &Arc<AppState>,
     kind: &str,
@@ -144,9 +214,14 @@ async fn render_full(state: &Arc<AppState>) -> Result<String, ApiError> {
             .device_group_members(g.id)
             .await
             .map_err(|e| ApiError::Internal(e.to_string()))?;
+        let peer_members = state
+            .db
+            .device_group_peer_members(g.id)
+            .await
+            .map_err(|e| ApiError::Internal(e.to_string()))?;
         let _ = write!(
             s,
-            r##"<section class="rounded-md border border-slate-800 bg-slate-900 p-4 space-y-3">
+            r##"<section class="rounded-md border border-slate-800 bg-slate-900 p-4 space-y-4">
   <header class="flex items-center justify-between">
     <h3 class="font-semibold">{name}</h3>
     <button class="text-xs text-rose-400 hover:text-rose-300"
@@ -154,13 +229,15 @@ async fn render_full(state: &Arc<AppState>) -> Result<String, ApiError> {
       hx-confirm="Delete group {name}? Members aren't deleted; just unassigned."
       hx-target="#groups-region" hx-swap="outerHTML">Delete group</button>
   </header>
-  <ul class="text-sm divide-y divide-slate-800">"##,
+  <div>
+    <h4 class="text-xs font-semibold text-slate-400 uppercase tracking-wide mb-1">Users</h4>
+    <ul class="text-sm divide-y divide-slate-800">"##,
             id = g.id,
             name = html_escape(&g.name)
         );
         if members.is_empty() {
             s.push_str(
-                r##"<li class="py-2 text-slate-500 text-xs">No members yet.</li>"##,
+                r##"<li class="py-2 text-slate-500 text-xs">No user members yet.</li>"##,
             );
         }
         for u in &members {
@@ -203,10 +280,63 @@ async fn render_full(state: &Arc<AppState>) -> Result<String, ApiError> {
             }
             s.push_str(
                 r##"</select>
-  <button class="bg-sky-700 hover:bg-sky-600 rounded px-3 py-1.5 text-xs">Add member</button>
+  <button class="bg-sky-700 hover:bg-sky-600 rounded px-3 py-1.5 text-xs">Add user</button>
 </form>"##,
             );
         }
+        s.push_str("</div>");
+
+        // ---- Devices section ----
+        let _ = write!(
+            s,
+            r##"<div>
+    <h4 class="text-xs font-semibold text-slate-400 uppercase tracking-wide mb-1">Devices</h4>
+    <ul class="text-sm divide-y divide-slate-800">"##
+        );
+        if peer_members.is_empty() {
+            s.push_str(
+                r##"<li class="py-2 text-slate-500 text-xs">No devices added directly. (Devices owned by user members above are also visible to them.)</li>"##,
+            );
+        }
+        for (peer_id, owner) in &peer_members {
+            let owner_label = if owner.is_empty() {
+                String::from(r##"<span class="text-slate-500">unowned</span>"##)
+            } else {
+                format!(
+                    r##"<span class="text-slate-500">owner: {}</span>"##,
+                    html_escape(owner)
+                )
+            };
+            let _ = write!(
+                s,
+                r##"<li class="py-2 flex items-center justify-between">
+  <span class="font-mono text-slate-200">{pid}</span>
+  <span class="text-xs flex items-center gap-3">
+    {owner_label}
+    <button class="text-slate-400 hover:text-rose-300"
+      hx-post="/admin/pages/groups/{gid}/peers/{pid_url}/remove"
+      hx-target="#groups-region" hx-swap="outerHTML">Remove</button>
+  </span>
+</li>"##,
+                pid = html_escape(peer_id),
+                pid_url = url_encode(peer_id),
+                gid = g.id,
+                owner_label = owner_label,
+            );
+        }
+        s.push_str("</ul>");
+        let _ = write!(
+            s,
+            r##"<form class="flex gap-2 text-sm pt-2 border-t border-slate-800"
+  hx-post="/admin/pages/groups/{id}/peers/add"
+  hx-target="#groups-region" hx-swap="outerHTML">
+  <input name="peer_id" placeholder="Device ID (e.g. 123456789)" required
+    class="flex-1 bg-slate-800 border border-slate-700 rounded px-2 py-1.5 font-mono"/>
+  <button class="bg-sky-700 hover:bg-sky-600 rounded px-3 py-1.5 text-xs">Add device</button>
+</form></div>"##,
+            id = g.id
+        );
+
         s.push_str("</section>");
     }
     s.push_str("</div>");
diff --git a/src/api/admin/pages/mod.rs b/src/api/admin/pages/mod.rs
index 80a1c11..19d4c00 100644
--- a/src/api/admin/pages/mod.rs
+++ b/src/api/admin/pages/mod.rs
@@ -7,9 +7,7 @@ pub mod connect;
 pub mod deploy;
 pub mod devices;
 pub mod groups;
-pub mod oidc;
 pub mod profile;
-pub mod recordings;
 pub mod shared;
 pub mod strategies;
 pub mod users;
diff --git a/src/api/admin/pages/oidc.rs b/src/api/admin/pages/oidc.rs
deleted file mode 100644
index 223b9cb..0000000
--- a/src/api/admin/pages/oidc.rs
+++ /dev/null
@@ -1,73 +0,0 @@
-//! OIDC providers — read-only listing of what's currently in
-//! `oidc_providers`. Editing providers is operator-side via the
-//! `--oidc-config` TOML or hand-inserted SQL; the dashboard surfaces them
-//! so admins can confirm what's wired up without leaving the UI.
-
-use super::shared::{html_escape, require_admin};
-use crate::api::error::ApiError;
-use crate::api::middleware::AuthedUser;
-use crate::api::state::AppState;
-use axum::extract::Extension;
-use axum::response::Html;
-use std::fmt::Write as _;
-use std::sync::Arc;
-
-pub async fn index(
-    Extension(state): Extension<Arc<AppState>>,
-    admin: AuthedUser,
-) -> Result<Html<String>, ApiError> {
-    require_admin(&admin)?;
-    let providers = state
-        .db
-        .oidc_provider_list_enabled()
-        .await
-        .map_err(|e| ApiError::Internal(e.to_string()))?;
-    let mut s = String::new();
-    s.push_str(
-        r##"<div class="space-y-4">
-  <header>
-    <h2 class="text-lg font-semibold">OIDC providers</h2>
-    <p class="text-xs text-slate-500 mt-1">Read-only. Add/edit via <code>--oidc-config</code> TOML at startup, or by inserting into the <code>oidc_providers</code> table.</p>
-  </header>"##,
-    );
-    if providers.is_empty() {
-        s.push_str(
-            r##"<p class="text-slate-500 text-sm">No OIDC providers configured.</p></div>"##,
-        );
-        return Ok(Html(s));
-    }
-    s.push_str(
-        r##"<div class="rounded-md border border-slate-800 bg-slate-900 overflow-hidden">
-  <table class="w-full text-sm">
-    <thead class="text-xs uppercase text-slate-500 bg-slate-950"><tr>
-      <th class="text-left font-medium px-3 py-2">Name</th>
-      <th class="text-left font-medium px-3 py-2">Display name</th>
-      <th class="text-left font-medium px-3 py-2">Issuer</th>
-      <th class="text-left font-medium px-3 py-2">Client ID</th>
-      <th class="text-left font-medium px-3 py-2">Scopes</th>
-      <th class="text-left font-medium px-3 py-2">Redirect</th>
-    </tr></thead>
-    <tbody class="divide-y divide-slate-800">"##,
-    );
-    for p in &providers {
-        let _ = write!(
-            s,
-            r##"<tr>
-  <td class="px-3 py-2 font-medium text-slate-200">{name}</td>
-  <td class="px-3 py-2 text-slate-300">{display}</td>
-  <td class="px-3 py-2 text-slate-400 font-mono text-xs">{issuer}</td>
-  <td class="px-3 py-2 text-slate-400 font-mono text-xs">{client_id}</td>
-  <td class="px-3 py-2 text-slate-400 text-xs">{scopes}</td>
-  <td class="px-3 py-2 text-slate-400 font-mono text-xs">{redirect}</td>
-</tr>"##,
-            name = html_escape(&p.name),
-            display = html_escape(p.display_name.as_deref().unwrap_or("")),
-            issuer = html_escape(&p.issuer_url),
-            client_id = html_escape(&p.client_id),
-            scopes = html_escape(&p.scopes),
-            redirect = html_escape(&p.redirect_url),
-        );
-    }
-    s.push_str("</tbody></table></div></div>");
-    Ok(Html(s))
-}
diff --git a/src/api/admin/pages/recordings.rs b/src/api/admin/pages/recordings.rs
deleted file mode 100644
index 17d7f40..0000000
--- a/src/api/admin/pages/recordings.rs
+++ /dev/null
@@ -1,87 +0,0 @@
-//! Recordings — list-only. Adding a streaming download handler is a
-//! follow-up; for now the operator looks at the filenames + sizes and
-//! pulls files from `--recording-dir` directly.
-
-use super::shared::{fmt_unix, html_escape, require_admin};
-use crate::api::error::ApiError;
-use crate::api::middleware::AuthedUser;
-use crate::api::state::AppState;
-use axum::extract::Extension;
-use axum::response::Html;
-use std::fmt::Write as _;
-use std::sync::Arc;
-
-const PAGE_SIZE: i64 = 200;
-
-pub async fn index(
-    Extension(state): Extension<Arc<AppState>>,
-    admin: AuthedUser,
-) -> Result<Html<String>, ApiError> {
-    require_admin(&admin)?;
-    let rows = state
-        .db
-        .recordings_list(PAGE_SIZE)
-        .await
-        .map_err(|e| ApiError::Internal(e.to_string()))?;
-    let mut s = String::new();
-    s.push_str(
-        r##"<div class="space-y-4">
-  <header>
-    <h2 class="text-lg font-semibold">Recordings</h2>
-    <p class="text-xs text-slate-500 mt-1">Files live under <code>--recording-dir</code>. Pull them with <code>scp</code> / <code>rsync</code> for now; an in-browser download is coming.</p>
-  </header>"##,
-    );
-    if rows.is_empty() {
-        s.push_str(
-            r##"<p class="text-slate-500 text-sm">No session recordings yet.</p></div>"##,
-        );
-        return Ok(Html(s));
-    }
-    s.push_str(
-        r##"<div class="rounded-md border border-slate-800 bg-slate-900 overflow-hidden">
-  <table class="w-full text-sm">
-    <thead class="text-xs uppercase text-slate-500 bg-slate-950"><tr>
-      <th class="text-left font-medium px-3 py-2">Filename</th>
-      <th class="text-left font-medium px-3 py-2">Peer</th>
-      <th class="text-left font-medium px-3 py-2">Size</th>
-      <th class="text-left font-medium px-3 py-2">State</th>
-      <th class="text-left font-medium px-3 py-2">Started</th>
-      <th class="text-left font-medium px-3 py-2">Finished</th>
-    </tr></thead>
-    <tbody class="divide-y divide-slate-800">"##,
-    );
-    for r in &rows {
-        let _ = write!(
-            s,
-            r##"<tr>
-  <td class="px-3 py-2 font-mono text-slate-200 text-xs">{file}</td>
-  <td class="px-3 py-2 font-mono text-slate-300">{peer}</td>
-  <td class="px-3 py-2 text-slate-400">{size}</td>
-  <td class="px-3 py-2 text-slate-400">{state}</td>
-  <td class="px-3 py-2 text-slate-500 text-xs">{started}</td>
-  <td class="px-3 py-2 text-slate-500 text-xs">{finished}</td>
-</tr>"##,
-            file = html_escape(&r.filename),
-            peer = html_escape(&r.peer_id),
-            size = human_size(r.size),
-            state = html_escape(&r.state),
-            started = html_escape(&fmt_unix(r.started_at)),
-            finished = html_escape(&r.finished_at.map(fmt_unix).unwrap_or_else(|| "—".into()))
-        );
-    }
-    s.push_str("</tbody></table></div></div>");
-    Ok(Html(s))
-}
-
-fn human_size(bytes: i64) -> String {
-    let b = bytes as f64;
-    if bytes < 1024 {
-        format!("{} B", bytes)
-    } else if b < 1024.0 * 1024.0 {
-        format!("{:.1} KiB", b / 1024.0)
-    } else if b < 1024.0 * 1024.0 * 1024.0 {
-        format!("{:.1} MiB", b / (1024.0 * 1024.0))
-    } else {
-        format!("{:.2} GiB", b / (1024.0 * 1024.0 * 1024.0))
-    }
-}
diff --git a/src/database.rs b/src/database.rs
index 4531482..cba74bc 100644
--- a/src/database.rs
+++ b/src/database.rs
@@ -586,6 +586,10 @@ impl Database {
             .bind(peer_id)
             .execute(self.pool.get().await?.deref_mut())
             .await;
+        let _ = sqlx::query("DELETE FROM device_group_peers WHERE peer_id = ?")
+            .bind(peer_id)
+            .execute(self.pool.get().await?.deref_mut())
+            .await;
         let _ = sqlx::query("DELETE FROM peer WHERE id = ?")
             .bind(peer_id)
             .execute(self.pool.get().await?.deref_mut())
@@ -773,6 +777,10 @@ impl Database {
             .bind(group_id)
             .execute(self.pool.get().await?.deref_mut())
             .await;
+        let _ = sqlx::query("DELETE FROM device_group_peers WHERE device_group_id = ?")
+            .bind(group_id)
+            .execute(self.pool.get().await?.deref_mut())
+            .await;
         let res = sqlx::query("DELETE FROM device_groups WHERE id = ?")
             .bind(group_id)
             .execute(self.pool.get().await?.deref_mut())
@@ -810,6 +818,77 @@ impl Database {
         Ok(())
     }
 
+    /// Devices explicitly added to a group via `device_group_peers`.
+    /// Returns (peer_id, owner_username); owner is empty if the device has
+    /// never been bound to a user (vanilla rustdesk client).
+    pub async fn device_group_peer_members(
+        &self,
+        group_id: i64,
+    ) -> ResultType<Vec<(String, String)>> {
+        let rows = sqlx::query(
+            "SELECT dgp.peer_id AS pid, COALESCE(u.username, '') AS owner \
+             FROM device_group_peers dgp \
+             LEFT JOIN device_sysinfo ds ON ds.id = dgp.peer_id \
+             LEFT JOIN users u ON u.id = ds.user_id \
+             WHERE dgp.device_group_id = ? \
+             GROUP BY dgp.peer_id \
+             ORDER BY dgp.peer_id",
+        )
+        .bind(group_id)
+        .fetch_all(self.pool.get().await?.deref_mut())
+        .await?;
+        Ok(rows
+            .into_iter()
+            .map(|r| {
+                (
+                    r.try_get::<String, _>("pid").unwrap_or_default(),
+                    r.try_get::<String, _>("owner").unwrap_or_default(),
+                )
+            })
+            .collect())
+    }
+
+    pub async fn device_group_add_peer(
+        &self,
+        group_id: i64,
+        peer_id: &str,
+    ) -> ResultType<()> {
+        sqlx::query(
+            "INSERT OR IGNORE INTO device_group_peers(device_group_id, peer_id) VALUES(?, ?)",
+        )
+        .bind(group_id)
+        .bind(peer_id)
+        .execute(self.pool.get().await?.deref_mut())
+        .await?;
+        Ok(())
+    }
+
+    pub async fn device_group_remove_peer(
+        &self,
+        group_id: i64,
+        peer_id: &str,
+    ) -> ResultType<()> {
+        sqlx::query(
+            "DELETE FROM device_group_peers WHERE device_group_id = ? AND peer_id = ?",
+        )
+        .bind(group_id)
+        .bind(peer_id)
+        .execute(self.pool.get().await?.deref_mut())
+        .await?;
+        Ok(())
+    }
+
+    /// True if `peer_id` exists in `device_sysinfo`. Used to validate before
+    /// inserting into `device_group_peers` so the admin UI can show a
+    /// helpful error instead of accepting a typo silently.
+    pub async fn peer_exists(&self, peer_id: &str) -> ResultType<bool> {
+        let row = sqlx::query("SELECT 1 FROM device_sysinfo WHERE id = ? LIMIT 1")
+            .bind(peer_id)
+            .fetch_optional(self.pool.get().await?.deref_mut())
+            .await?;
+        Ok(row.is_some())
+    }
+
     pub async fn strategies_list_all(&self) -> ResultType<Vec<StrategyRow>> {
         let rows = sqlx::query(
             "SELECT id, name, modified_at, config_options_json, extra_json \
@@ -1944,7 +2023,8 @@ impl Database {
         limit: i64,
     ) -> ResultType<(i64, Vec<PeerListRow>)> {
         // Common select: device_sysinfo joined to its owner. We pick the
-        // alphabetically-first device-group name as the surfaced group.
+        // alphabetically-first device-group name as the surfaced group,
+        // considering both owner-based and direct peer-group membership.
         let where_clause = if is_admin {
             "1 = 1"
         } else {
@@ -1952,6 +2032,11 @@ impl Database {
                 SELECT m2.user_id FROM device_group_members m1 \
                 JOIN device_group_members m2 USING(device_group_id) \
                 WHERE m1.user_id = ? \
+            ) OR ds.id IN ( \
+                SELECT dgp.peer_id FROM device_group_peers dgp \
+                JOIN device_group_members dgm \
+                  ON dgm.device_group_id = dgp.device_group_id \
+                WHERE dgm.user_id = ? \
             ))"
         };
         let count_sql = format!(
@@ -1965,8 +2050,14 @@ impl Database {
                     COALESCE(u.status, 1) AS owner_status, \
                     ds.payload AS sysinfo, \
                     ( SELECT dg.name FROM device_groups dg \
-                      JOIN device_group_members mm ON mm.device_group_id = dg.id \
-                      WHERE mm.user_id = ds.user_id ORDER BY dg.name LIMIT 1 \
+                      WHERE dg.id IN ( \
+                          SELECT device_group_id FROM device_group_members \
+                            WHERE user_id = ds.user_id \
+                          UNION \
+                          SELECT device_group_id FROM device_group_peers \
+                            WHERE peer_id = ds.id \
+                      ) \
+                      ORDER BY dg.name LIMIT 1 \
                     ) AS device_group_name \
              FROM device_sysinfo ds \
              LEFT JOIN users u ON u.id = ds.user_id \
@@ -1981,6 +2072,7 @@ impl Database {
                 .try_get("c")?
         } else {
             sqlx::query(&count_sql)
+                .bind(viewer_id)
                 .bind(viewer_id)
                 .bind(viewer_id)
                 .fetch_one(self.pool.get().await?.deref_mut())
@@ -1995,6 +2087,7 @@ impl Database {
                 .await?
         } else {
             sqlx::query(&list_sql)
+                .bind(viewer_id)
                 .bind(viewer_id)
                 .bind(viewer_id)
                 .bind(limit)
@@ -2214,21 +2307,22 @@ impl Database {
         {
             return Ok(s);
         }
-        // Look up the device's owner; without an owner there's nothing to
-        // join on, so we stop here.
-        let owner = sqlx::query(
+        // Look up the device's owner. May be NULL on a vanilla rustdesk
+        // client that never bound to a user — in that case we still want to
+        // honor any direct device-group membership before giving up.
+        let owner_id_opt: Option<i64> = sqlx::query(
             "SELECT user_id FROM device_sysinfo WHERE id = ? AND user_id IS NOT NULL LIMIT 1",
         )
         .bind(peer_id)
         .fetch_optional(self.pool.get().await?.deref_mut())
-        .await?;
-        let Some(owner_row) = owner else {
-            return Ok(ResolvedStrategy::default());
-        };
-        let owner_id: i64 = owner_row.try_get("user_id")?;
-        let owner_id_str = owner_id.to_string();
+        .await?
+        .and_then(|r| r.try_get("user_id").ok());
+        let owner_id_str = owner_id_opt.unwrap_or(0).to_string();
         // Device-group assignment: any strategy assigned to a group that the
-        // owner is a member of.
+        // owner is a user-member of, OR that the peer itself is directly a
+        // member of via `device_group_peers`. The owner_id placeholder binds
+        // to 0 for ownerless peers — `device_group_members.user_id` is never
+        // 0, so the first branch of the UNION matches nothing in that case.
         if let Some(s) = self
             .strategy_lookup(
                 "SELECT s.modified_at, s.config_options_json, s.extra_json \
@@ -2236,14 +2330,19 @@ impl Database {
                  JOIN strategy_assignments sa ON sa.strategy_id = s.id \
                  WHERE sa.device_group_id IN ( \
                      SELECT device_group_id FROM device_group_members WHERE user_id = ? \
+                     UNION \
+                     SELECT device_group_id FROM device_group_peers   WHERE peer_id = ? \
                  ) \
                  ORDER BY sa.priority DESC LIMIT 1",
-                &[&owner_id_str],
+                &[&owner_id_str, peer_id],
             )
             .await?
         {
             return Ok(s);
         }
+        if owner_id_opt.is_none() {
+            return Ok(ResolvedStrategy::default());
+        }
         // User assignment.
         if let Some(s) = self
             .strategy_lookup(
@@ -2989,6 +3088,16 @@ const M2_SCHEMA: &[&str] = &[
         PRIMARY KEY (device_group_id, user_id)
     )",
     "CREATE INDEX IF NOT EXISTS idx_dgm_user ON device_group_members(user_id)",
+    // Direct device membership in a group. Independent of owner-based
+    // membership (device_group_members) — a group can contain users,
+    // peers, or both. Peer is keyed by id (text) since device_sysinfo
+    // is keyed on (id, uuid) and operators identify devices by id alone.
+    "CREATE TABLE IF NOT EXISTS device_group_peers (
+        device_group_id INTEGER NOT NULL,
+        peer_id         TEXT    NOT NULL,
+        PRIMARY KEY (device_group_id, peer_id)
+    )",
+    "CREATE INDEX IF NOT EXISTS idx_dgp_peer ON device_group_peers(peer_id)",
     // SQLite forbids expressions in PRIMARY KEY constraints, so we use a
     // unique index over the COALESCEd tuple to enforce one share per
     // (ab, user) and one per (ab, group). NULLs collapse to 0 so two NULL
