Skip to content
new assignment rules make kandji blueprints smarter
Blog Product Update New Assign...

New Assignment Rules Make Kandji Blueprints Smarter

Kandji Team Kandji Team
6 min read

Back in September, Kandji introduced assignment rules. These rules took a core component of Kandji device management—Blueprints—and made them even smarter. We’ve now dramatically expanded the scope of what assignment rules can do and how they’re defined.

First, some context: Blueprints allow you to define sets of configurations and payloads—in the form of Kandji library items—that will be deployed to groups of devices. You create a Blueprint, populate it with library items, and assign devices to it. When Kandji deploys the Blueprint, every device assigned to it automatically gets those configurations and payloads.

Assignment rules take Blueprints one step further. They allow you to compose rules that will determine whether or not a particular library item will actually be deployed to a given device. In our initial iteration of assignment rules, you could create rules based on device attributes—OS version, chip type, asset tag, and so on. In that initial version, rules could be applied to library items that deployed custom scripts, custom apps, or custom printers.

With our latest update, we've updated assignment rules so you can define them based on data stored with your identity provider (IdP). Specifically, you can base rules on a user’s department, job title, or user group, as long as that user data is stored in Google Workspace or Microsoft Azure AD. (SCIM support is coming in January 2023.)

User group

Any Kandji customer who has integrated their user directory from one of those sources with Kandji can now use those details about users to determine whether or not a given library item should be deployed to devices. Blueprints can now adapt what they deploy based on those user attributes.

Along with this latest update, you can also add rules to a new set of library items:

  • Auto Apps;
  • FileVault;
  • Firewall;
  • Gatekeeper;
  • Kernel Extension;
  • Login Window;
  • Media Access;
  • Recovery Password;
  • Screen Saver;
  • Software Update;
  • SSH; and
  • System Preference Panes.

The Benefits of Assignment Rules

The benefits of these changes to IT admins are clear: Assignment rules now give them more control over the end state of the devices they manage. They can scope items to devices based on user attributes and create custom logic to automatically deploy items (or not) to those user devices. 

This control, in turn, gives admins greater flexibility. A single Blueprint can now adapt what it enforces based on user attributes. This can drastically reduce the number of Blueprints that admins need to maintain. But flexibility doesn’t mean complexity. Admins don’t need to sort through a tangled web of user attributes, smart groups, and scoping rules to figure out why something is happening on a device; they just need to look at the appropriate library item.

So, for example, let’s say you have a Blueprint that you’ve assigned to everyone in your Chicago office. But it just so happens that your organization’s design team works there. And while those designers need the same basic configurations as everyone else in that office, they’re the only ones who need Figma. You can now add an Auto App library item for Figma to the Chicago Blueprint, then apply an assignment rule to it specifying that only those whose department equals “Design” get it.

Assignment rules 6

Or let’s say you have a group of product managers, in a variety of departments and locations, who have access to databases with live customer data. For those particular users, you deploy a data loss protection (DLP) tool such as Netskope or CoSoSys. You might not want to install such tools on everybody's computer, because they can be disruptive, but you really need all of the product managers to have them. You can create a Custom App library item for Netskope or CoSoSys and now use assignment rules to deploy it only to users with the  job title of “product manager.”

We’re just getting started with what assignment rules can do. Expect to see them applied to more library items and defined by more attributes in the not-too-distant future.

Kandji may be a device management company—but devices map to people. Leveraging directory data with assignment rules, you can now fine-tune how you manage devices based on who’s using them. 

For more on our updated assignment rules, check out our video:


And for more details on how to implement this latest update to assignment rules, see our support article. It's important to note that, to leverage directory data within assignment rules, you must reauthenticate your directory integration.

Request access to Kandji today.