Use assignment rules to intelligently assign Library Items to devices in your fleet
What are Assignment Rules?
As of September 18, 2024, Library Item Assignment Rules for use with Classic Blueprints are considered deprecated, but remain functional and are supported for customers with existing configured rules. Assignment Maps are the future of flexible scoping in Kandji, and a true end-of-life date for Library Item Assignment Rules will be announced in the coming months.
Starting on October 2, 2024, customers with no existing configured Library Item Assignment Rules are no longer able to add any new ones and should use Assignment Maps for flexible scoping instead. Net new customers with tenants created after October 2 also are not able to use Library Item Assignment Rules.
Assignment rules let you configure devices by applying specific settings and software to select groups using conditional blocks within an Assignment Map. This feature offers flexibility and control, ensuring the right configurations are applied to the appropriate devices.
- What are Assignment Rules?
- How do Assignment Rules work?
- Building Assignment Rules
- Combining Rules into Rulesets
- Other Considerations
- Library Item Assignment Rules within Classic Blueprints
How do Assignment Rules work?
Assignment rules allow a Kandji administrator to apply different device configurations based on specific conditions. These conditions can be determined by device attributes, user attributes, or other criteria from integrated identity providers like Okta, Google Workspace, OneLogin, or Microsoft Entra ID. For more details on setting up assignment rules in conditional blocks within an Assignment Map, please refer to our Advanced Assignment Maps Configuration support article.
Building Assignment Rules
Compatibility checks take precedence over Assignment Rules. For instance, if you have a Library Item that requires macOS 14 or later, it will be marked as Incompatible on devices running anything below macOS 14.
Assignment Rules are comprised of the following components:
- Input - An attribute that will be compared when evaluating a rule. For example, a device's chip type.
- Operator - The method of comparison used when evaluating a rule. For example, Is or Is Not.
- Value - The specific data that the input will be compared to when evaluating a rule. For example, Intel or Apple silicon.
A completed rule might look like this:
- Input: Chip type
- Operator: Is
- Value: Apple silicon
This rule would ensure that the Library Item is installed only on Macs with Apple silicon.
Supported Inputs, Operators, and Values
Assignment Rules support the following inputs, operators, and values.
Input | Operators | Example Values |
|---|---|---|
Enrollment Type | is is not | Automated Device Enrollment Manual Device Enrollment |
Chip type | is | Apple Silicon Intel |
FileVault | is | On Off |
Supervision status | is | Supervised Not Supervised |
Device family | is one of is not one of | iMac iMac Pro Mac Pro MacBook MacBook Pro MacBook Air Mac mini Mac Studio |
are exactly are not exactly does not contain one of | Test Pilot Production | |
Asset Tag | is is not is one of is not one of contains | Honolulu 123987 DEN-123845-MBP |
Serial Number | is is not one of contains does not contain | QCM2XXXXXX |
OS version | is is not is greater than is less than is greater than or equal to is less than or equal to is between | 12 13.1 16.2.2 |
Mac Family | is one of is not one of | |
User Email | is is not one of contains does not contain | admin@accuhive.io |
User Group | is one of is not one of | database-admins |
User Job Title | is is not one of contains does not contain | Product Engineer |
User Department | is is not one of contains does not contain | Product |
Combining Rules into Rulesets
You can combine multiple rules into rulesets, which are evaluated together. Rules in a ruleset are combined using an AND logical operator, meaning all conditions must be met for the rule to apply. Some inputs allow multiple values, which are combined using an OR logical operator.
A completed ruleset might look like this:
|
|
This ruleset would install the Library Item if the device is a Mac with Apple silicon and either a MacBook Pro or a MacBook Air.
Other Considerations
- For User Group, Mac Family, User Job Title, and User Department, when providing multiple input values for the criteria, these will be treated as an "OR" operator between the values.
- For example, if you set "user group" to "is one of" with the values of "finance users" and "engineer users," a user will only need to be in one of these groups for the rule to evaluate true.
- The User Group option allows for auto-complete of known groups.
- Job Titles and Departments must be typed in full.
- To enter multiple Job Titles, Departments, Serial Numbers or Asset Tags, press enter, and the current text input will become a chip so that more can be added, or you can paste a newline-separated list into the box, and each value will automatically become a chip.
- Assignment Rules based on User Group assignment will be evaluated at the next daily check-in. For more information about device check-in, see the following support articles:
Device Family Assignment
- The device family assignment (Install on selector) allows you to define specific device families that a library item should be installed on.
- Example: This can be leveraged to install a multi-platform Apps and Books app, such as Okta Verify, to a single device family.
- The Install on field will show only compatible device families.
- Example: If an app store app is only compatible with macOS, you cannot select iPhone from the device family selector.
- Additionally, selecting or excluding a specific device family will change the Assignment Rules available to you.
- Example: Removing Mac would disable the macOS option within the OS Version rule.
Library Item Assignment Rules within Classic Blueprints
Adding Assignment Rules to a Library Item
If a Library Item supports Assignment Rules, you can add them by editing the Library Item.
- Select or create a Library Item.
- Assign the Library Item to the Classic Blueprint to which you want the Rules to apply.
- In the Rules section under Assignment, click Add.
- Choose the input type from the Select input menu.
- Select the operator (i.e., Is, Is Not, Contains).
- Provide the necessary value(s).
- Optionally, add more rules by clicking Add rule.
- Click Confirm to save the rule.
Viewing Assignment Rules for a Library Item
You can view Assignment Rules for a Library Item in several ways:
- In the Library, the item will show an Assignment Rules glimpse.
- In the Classic Blueprint, the item will display the number of rules and their details.
- In the Device Status view, the Assignment Rules glimpse indicates whether the item is pending, installed, or in an error state
Editing Assignment Rules
To edit existing rules, perform the following steps:
- Select the Library Item, and click Edit in the lower right-hand corner.
- Click Edit in the Rules section.
- Make the necessary changes, and click Confirm.
Considerations when Editing Assignment Rules
The following actions can be taken when editing Assignment Rules:
- Add a Rule - each input can only be specified once
- Change Inputs
- Change Operators
- Change Values
- Delete an individual rule - you cannot delete the last rule this way; instead, delete an entire set of Assignment Rules
Delete an Entire Set of Assignment Rules
You can delete an entire set of Assignment Rules from a Library Item. This will cause the Library Item to be installed on all devices in all assigned Blueprints the next time each device checks in.
- Select the Library Item, and click Edit in the lower right-hand corner.
- Click Remove in the Rules section.
- Click Remove again in the warning dialog.
- Click Save to save the Library Item without any Assignment Rules.
Library Item Support
The following library items currently support assignment rules:
| Auto Apps | Energy Saver | Screensaver |
| App Store apps | FileVault | Single Sign-On Extension |
| Airplay Security | Firewall | Software Update |
| AirPrint | Gatekeeper | SSH |
| App Lock | Kernel Extension | System Extension |
| App Store | Login & Background Items | System Preferences Panes |
| Certificate | Login Window | VPN |
| Conference Room Display | Managed Data Flow | Wallpaper |
| Custom App | Media Access | Wi-Fi |
| Custom Script | Passcode | |
| Custom Printer | Privacy | |
| Custom Profile | Recovery Password | |
| Device Name | Restrictions |