Using Assignment Rules

By David Marks

Use assignment rules to install a Library Item on a subset of devices in a Blueprint

Note: If a Google or Azure AD native integration was configured prior to December 12, 2022 you must re-authenticate your directory integration to leverage Assignment Rules.

About Assignment Rules

Assignment rules allow you to establish conditions under which Library Items will be applied to devices in a Blueprint. This allows you to target a subset of devices in a Blueprint without creating a new Blueprint just for those devices. For example, if you have two Library Items for a custom app that distributes separate Intel and Apple silicon binaries, you can place both in the same Blueprint and use assignment rules to target devices based on chip type. Rules are evaluated for each device in a Blueprint when the device checks in. If a Library Item is set to Self Service, the assignment rules determine if it is shown. If it is not set to Self Service, the assignment rules determine if it is installed on the device.

Note: Compatibility checks supersede Assignment Rules. For example, a Library Item scoped with Assignment Rules that requires macOS 11+ (such as the Microsoft Word Auto App) will show an Incompatible status on anything less than macOS 11.

Definitions

Input

An attribute that will be compared when evaluating a rule. For example, a device's chip type.

Operator

An operator used for comparison when evaluating a rule. For example, Is or Is Not.

Value

A value that the input will be compared to when evaluating a rule. For example, Intel or Apple silicon.

A completed rule might look like this:

This would cause the Library item to be installed on any Mac with Apple silicon.

A completed rule might look like this:

Combine Rules into Rulesets

Rules may be combined into rulesets, with each rule input allowed to appear once in a ruleset. Rules in a ruleset are combined with an AND logical operator. Some inputs, such as device family, allow multiple values, which are combined with an OR logical operator. As an example, take this ruleset:

This ruleset would install the Library Item if the device is a Mac with Apple silicon and either a MacBook Pro or a MacBook Air.

Add Assignment Rules to a Library Item

If a Library Item supports assignment rules, you can add them by editing the Library Item.

Select the Library Item from the list and click Edit, or create a new Library Item.
If the Library Item supports assignment rules, it displays a Rules section under Assignment. Click Add. This will open an Assignment Rules interaction to allow you to create the rules.
A placeholder for the first rule is automatically added and lets you choose the input, the operator, and the value. From the Select input pop-up menu, select the input type for the rule. See below for available input types.
From the Operator pop-up menu, select the operator for your rule. See below for a list of operators that apply to each input.
The Value varies depending on the input and operator. Provide the necessary value(s) for your desired combination of input and operator. See below for a list of value types based on the input.
If you wish to add another rule, click Add rule and repeat the above steps for each new rule.
When you are finished adding rules, click Confirm.

View Assignment Rules of a Library Item

You can tell that a Library Item has assignment rules in several ways.

In the Library, the Library Item will have the assignment rules glimpse,.
In the Blueprint, the Library Item will have the assignment rules glimpse, the number of rules in the ruleset, and a disclosure to show the rules.

For items shown in the Device Status view, the assignment rules glimpse indicates that rules are present on the Library Item, and the status indicator shows whether the Library Item was installed or excluded by the rules.

In the Library Item view, assignment rules are shown in the assignment area.

A Library Item with assignment rules will show as Pending until the device checks in. Then, if the rules evaluate to True, the status will show that the Library Item was installed. If the rules are evaluated as False, the status will be Excluded.

Edit Assignment Rules on a Library Item

Once assignment rules are added to a Library Item, you may edit them. Changed rules will be evaluated the next time each device checks in.

Select the Library Item from the list and click Edit.
Click Edit in the Rules section under Assignment.
Change the rules as you need to:
- You may add rules. Each input can only be specified once.
- You may change inputs.
- You may change operators.
- You may change values.
- You may delete an individual rule by clicking theicon. Note: You cannot delete the last rule this way. See Delete an Entire Set of Assignment Rules.
Click Confirm.

Delete an Entire Set of Assignment Rules

You can delete an entire set of assignment rules from a Library Item. This will cause the Library Item to be installed on all devices in all assigned Blueprints the next time each device checks in.

Select the Library Item from the list and click Edit.
ClickRemove.
Click Remove in the warning dialog.
Click Save to save the Library Item without any assignment rules.

Supported Inputs, Operators, and Values

Library Item assignment rules currently support the following inputs, operators, and values.

Input	Operators	Example Values
Enrollment Type	is is not	Automated Device Enrollment Manual Device Enrollment
Chip type	is	Apple Silicon Intel
FileVault	is	On Off
Supervision status	is	Supervised Not Supervised
Device family	is one of is not one of	iMac iMac Pro Mac Pro MacBook MacBook Pro MacBook Air Mac mini Mac Studio (supports multiple values)
Asset Tag	is is not is one of is not one of contains does not contain contains one of does not contain one of	Honolulu 123987 DEN-123845-MBP
Serial Number	is is not is one of is not one of contains does not contain contains one of does not contain one of	QCM2XXXXXX
OS version	is is not is greater than is less than is greater than or equal to is less than or equal to is between	12 13.1 16.2.2
Mac Family	is one of is not one of
User Group	is one of is not one of	database-admins
User Job Title	is is not is one of is not one of contains does not contain contains one of does not contain one of	Product Engineer
User Department	is is not is one of is not one of contains does not contain contains one of does not contain one of	Product

Note for User Group, Mac Family, User Job Title, and User Department: When providing multiple input values for the criteria that these will be treated as an "OR" operator between the values.

For example, if you set "user group" to "is one of" with the values of "finance users" and "engineer users" a user will only need to be in 1 of these groups in order for the rule to evaluate true.

The User Group option allows for auto-complete of known groups. Job Titles and Departments must be typed in full. 

To enter multiple Job Titles, Departments, Serial Numbers or Asset Tags, press enter, and the current text input will become a chip so that more can be added.

Device Family Assignment

The device family assignment (Install on selector) allows you to define specific device families that a library item should be installed on. For example, this can be leveraged to install a multi-platform Apps and Books app, such as Okta Verify, to a single device family.

Only compatible device families will be shown within the Install on field. For example, if an app store app is only compatible with macOS, you cannot select iPhone from the device family selector.

Additionally, selecting or excluding a specific device family will change the assignment rules available to you. For example, removing Mac would disable the macOS option within the OS Version rule.

Library Item Support

The following library items currently support assignment rules

Custom App
Custom Script
Custom Printer
Custom Profile
Auto Apps
App Store Apps
Managed OS
AirPlay Security
AirPrint
App Lock
App Store
Certificate
Conference Room Display
Energy Saver
FileVault
Firewall
Gatekeeper
Kernel Extension
Login & Background Items
Login Window
Managed Data Flow
Media Access
Passcode
Recovery Password
Screen Saver
Single Sign-On Extension
Software Update
SSH
System Extension
System Preferences Panes
VPN
Wi-Fi