What are Assignment Rules?
As of September 18, 2024, Library Item Assignment Rules for use with Classic Blueprints are considered deprecated, but remain functional and are supported for customers with existing configured rules.
Assignment rules let you configure devices by applying specific settings and software to select groups using conditional blocks within an Assignment Map. This feature offers flexibility and control, ensuring the right configurations are applied to the appropriate devices.
How do Assignment Rules work?
Assignment rules allow a Kandji administrator to apply different device configurations based on specific conditions. These conditions can be determined by device attributes, user attributes, or other criteria from integrated identity providers like Okta, Google Workspace, OneLogin, or Microsoft Entra ID. For more details on setting up assignment rules in conditional blocks within an Assignment Map, please refer to our Advanced Assignment Maps Configuration support article.
Building Assignment Rules
Compatibility checks take precedence over Assignment Rules. For instance, if you have a Library Item that requires macOS 14 or later, it will be marked as Incompatible on devices running anything below macOS 14.
Assignment Rules are comprised of the following components:
Input - An attribute that will be compared when evaluating a rule. For example, a device's chip type.
Operator - The method of comparison used when evaluating a rule. For example, Is or Is Not.
Value - The specific data that the input will be compared to when evaluating a rule. For example, Intel or Apple silicon.
A completed rule might look like this:
Input: Chip type
Operator: Is
Value: Apple silicon
This rule would ensure that the Library Item is installed only on Macs with Apple silicon.
Supported Inputs, Operators, and Values
Assignment Rules support the following inputs, operators, and values.
Input | Operators | Example Values |
|---|---|---|
Enrollment Type | is is not | Automated Device Enrollment Manual Device Enrollment |
Chip type | is | Apple Silicon Intel |
FileVault | is | On Off |
Supervision status | is | Supervised Not Supervised |
Mac family | is one of is not one of | iMac iMac Pro Mac Pro MacBook MacBook Pro MacBook Air Mac mini Mac Studio |
are exactly are not exactly contain one of does not contain one of | Test Pilot Production | |
Asset Tag | is is not is one of is not one of contains does not contain contains one of does not contain one of | Honolulu 123987 DEN-123845-MBP |
Serial Number | is is not is one of is not one of contains does not contain contains one of does not contain one of | QCM2XXXXXX |
OS version | is is not is greater than is less than is greater than or equal to is less than or equal to is between | 12 13.1 16.2.2 |
User Email | is is not is one of is not one of contains does not contain contains one of does not contain one of | admin@accuhive.io |
User Group | is one of is not one of | database-admins |
User Job Title | is is not is one of is not one of contains does not contain contains one of does not contain one of | Product Engineer |
User Department | is is not is one of is not one of contains does not contain contains one of does not contain one of | Product |
Combining Rules into Rulesets
You can combine multiple rules into rulesets, which are evaluated together. Rules in a ruleset are combined using an AND logical operator, meaning all conditions must be met for the rule to apply. Some inputs allow multiple values, which are combined using an OR logical operator.
A completed ruleset might look like this:
|
|
This ruleset would install the Library Item if the device is a Mac with Apple silicon and either a MacBook Pro or a MacBook Air.
Other Considerations
For User Group, Mac Family, User Job Title, and User Department, when providing multiple input values for the criteria, these will be treated as an "OR" operator between the values.
For example, if you set "user group" to "is one of" with the values of "finance users" and "engineer users," a user will only need to be in one of these groups for the rule to evaluate true.
The User Group option allows for auto-complete of known groups.
Job Titles and Departments must be typed in full.
To enter multiple Job Titles, Departments, Serial Numbers or Asset Tags, press enter, and the current text input will become a chip so that more can be added, or you can paste a newline-separated list into the box, and each value will automatically become a chip.
Assignment Rules based on User Group assignment will be evaluated at the next daily check-in. For more information about device check-in, see the following support articles:
Device Family Assignment
The device family assignment (Install on selector) allows you to define specific device families that a library item should be installed on.
Example: This can be leveraged to install a multi-platform Apps and Books app, such as Okta Verify, to a single device family.
The Install on field will show only compatible device families.
Example: If an app store app is only compatible with macOS, you cannot select iPhone from the device family selector.
Additionally, selecting or excluding a specific device family will change the Assignment Rules available to you.
Example: Removing Mac would disable the macOS option within the OS Version rule.
Library Item Assignment Rules within Classic Blueprints
Adding Assignment Rules to a Library Item
If a Library Item supports Assignment Rules, you can add them by editing the Library Item.
Select or create a Library Item.
Assign the Library Item to the Classic Blueprint to which you want the Rules to apply.
In the Rules section under Assignment, click Add.
Choose the input type from the Select input menu.
Select the operator (i.e., Is, Is Not, Contains).
Provide the necessary value(s).
Optionally, add more rules by clicking Add rule.
Click Confirm to save the rule.
Viewing Assignment Rules for a Library Item
You can view Assignment Rules for a Library Item in several ways:
In the Library, the item will show an Assignment Rules glimpse.
In the Classic Blueprint, the item will display the number of rules and their details.
In the Device Status view, the Assignment Rules glimpse indicates whether the item is pending, installed, or in an error state
Editing Assignment Rules
To edit existing rules, perform the following steps:
Select the Library Item, and click Edit in the lower right-hand corner.
Click Edit in the Rules section.
Make the necessary changes, and click Confirm.
Considerations when Editing Assignment Rules
The following actions can be taken when editing Assignment Rules:
Add a Rule - each input can only be specified once
Change Inputs
Change Operators
Change Values
Delete an individual rule - you cannot delete the last rule this way; instead, delete an entire set of Assignment Rules
Delete an Entire Set of Assignment Rules
You can delete an entire set of Assignment Rules from a Library Item. This will cause the Library Item to be installed on all devices in all assigned Blueprints the next time each device checks in.
Select the Library Item, and click Edit in the lower right-hand corner.
Click Remove in the Rules section.
Click Remove again in the warning dialog.
Click Save to save the Library Item without any Assignment Rules.
Library Item Support
The following library items currently support assignment rules:
Auto Apps | Energy Saver | Screensaver |
App Store apps | FileVault | Single Sign-On Extension |
Airplay Security | Firewall | Software Update |
AirPrint | Gatekeeper | SSH |
App Lock | Kernel Extension | System Extension |
App Store | Login & Background Items | System Preferences Panes |
Certificate | Login Window | VPN |
Conference Room Display | Managed Data Flow | Wallpaper |
Custom App | Media Access | Wi-Fi |
Custom Script | Passcode | |
Custom Printer | Privacy | |
Custom Profile | Recovery Password | |
Device Name | Restrictions |