Use assignment rules to install a Library Item on a subset of devices in a Blueprint
If a Google or Azure AD native integration was configured prior to December 12, 2022 you must re-authenticate your directory integration to leverage Assignment Rules.
About Assignment Rules
Assignment rules allow you to establish conditions under which Library Items will be applied to devices in a Blueprint. This allows you to target a subset of devices in a Blueprint without creating a new Blueprint just for those devices. For example, if you have two Library Items for a custom app that distributes separate Intel and Apple silicon binaries, you can place both in the same Blueprint and use assignment rules to target devices based on chip type. Rules are evaluated for each device in a Blueprint when the device checks in. If a Library Item is set to Self Service, the assignment rules determine if it is shown. If it is not set to Self Service, the assignment rules determine if it is installed on the device.
Note: Compatibility checks supersede Assignment Rules. For example, a Library Item scoped with Assignment Rules that requires macOS 11+ (such as the Microsoft Word Auto App) will show an Incompatible status on anything less than macOS 11.
Definitions
Input
An attribute that will be compared when evaluating a rule. For example, a device's chip type.
Operator
An operator used for comparison when evaluating a rule. For example, Is or Is Not.
Value
A value that the input will be compared to when evaluating a rule. For example, Intel or Apple silicon.
A completed rule might look like this:
This would cause the Library item to be installed on any Mac with Apple silicon.
Combine Rules into Rulesets
Rules may be combined into rulesets, with each rule input allowed to appear once in a ruleset. Rules in a ruleset are combined with an AND logical operator. Some inputs, such as device family, allow multiple values, which are combined with an OR logical operator. As an example, take this ruleset:
This ruleset would install the Library Item if the device is a Mac with Apple silicon and either a MacBook Pro or a MacBook Air.
Add Assignment Rules to a Library Item
If a Library Item supports assignment rules, you can add them by editing the Library Item.
- Select the Library Item from the list and click Edit, or create a new Library Item.
- If the Library Item supports assignment rules, it displays a Rules section under Assignment. Click Add. This will open an Assignment Rules interaction to allow you to create the rules.
- A placeholder for the first rule is automatically added and lets you choose the input, the operator, and the value. From the Select input pop-up menu, select the input type for the rule. See below for available input types.
- From the Operator pop-up menu, select the operator for your rule. See below for a list of operators that apply to each input.
- The Value varies depending on the input and operator. Provide the necessary value(s) for your desired combination of input and operator. See below for a list of value types based on the input.
- If you wish to add another rule, click Add rule and repeat the above steps for each new rule.
- When you are finished adding rules, click Confirm.
View Assignment Rules for a Library Item
You can tell that a Library Item has assignment rules in several ways:
- In the Library, the Library Item will have the assignment rules glimpse.
- In the Blueprint, the Library Item will have the assignment rules glimpse, the number of rules in the ruleset, and a disclosure to show the rules.
- For items shown in the Device Status view, the assignment rules glimpse indicates that rules are present on the Library Item, and the status indicator shows whether the Library Item is pending, installed or in an error state. Excluded items can be shown by adjusting the filter to include the Excluded status.
- In the Library Item view, assignment rules are shown in the assignment area.
- A Library Item with assignment rules will show as Pending until the device checks in. Then, if the rules evaluate to True, the status will show that the Library Item was installed. If the rules are evaluated as False, the status will be Excluded.
Edit Assignment Rules on a Library Item
Once assignment rules are added to a Library Item, you may edit them. Changed rules will be evaluated the next time each device checks in.
- Select the Library Item from the list and click Edit.
- Click Edit in the Rules section under Assignment.
- Change the rules as you need to:
- You may add rules. Each input can only be specified once.
- You may change inputs.
- You may change operators.
- You may change values.
- You may delete an individual rule by clicking the trash icon. Note: You cannot delete the last rule this way. See Delete an Entire Set of Assignment Rules.
- Click Confirm.
Delete an Entire Set of Assignment Rules
You can delete an entire set of assignment rules from a Library Item. This will cause the Library Item to be installed on all devices in all assigned Blueprints the next time each device checks in.
- Select the Library Item from the list and click Edit.
- Click Remove.
- Click Remove again in the warning dialog.
- Click Save to save the Library Item without any assignment rules.
Supported Inputs, Operators, and Values
Library Item assignment rules currently support the following inputs, operators, and values.
Input | Operators | Example Values |
---|---|---|
Enrollment Type | is is not | Automated Device Enrollment Manual Device Enrollment |
Chip type | is | Apple Silicon Intel |
FileVault | is | On Off |
Supervision status | is | Supervised Not Supervised |
Device family | is one of is not one of | iMac iMac Pro Mac Pro MacBook MacBook Pro MacBook Air Mac mini Mac Studio (supports multiple values) |
Asset Tag | is is not is one of is not one of contains does not contain contains one of does not contain one of | Honolulu 123987 DEN-123845-MBP |
Serial Number | is is not is one of is not one of contains does not contain contains one of does not contain one of | QCM2XXXXXX |
OS version | is is not is greater than is less than is greater than or equal to is less than or equal to is between | 12 13.1 16.2.2 |
Mac Family | is one of is not one of | |
User Group | is one of is not one of | database-admins |
User Job Title | is is not is one of is not one of contains does not contain contains one of does not contain one of | Product Engineer |
User Department | is is not is one of is not one of contains does not contain contains one of does not contain one of | Product |
Note for User Group, Mac Family, User Job Title, and User Department: When providing multiple input values for the criteria, these will be treated as an "OR" operator between the values. For example, if you set "user group" to "is one of" with the values of "finance users" and "engineer users" a user will only need to be in 1 of these groups in order for the rule to evaluate true. The User Group option allows for auto-complete of known groups. Job Titles and Departments must be typed in full. To enter multiple Job Titles, Departments, Serial Numbers or Asset Tags, press enter, and the current text input will become a chip so that more can be added, or you can paste a newline-separated list into the box, and each value will automatically become a chip.
Device Family Assignment
The device family assignment (Install on selector) allows you to define specific device families that a library item should be installed on. For example, this can be leveraged to install a multi-platform Apps and Books app, such as Okta Verify, to a single device family.
Only compatible device families will be shown within the Install on field. For example, if an app store app is only compatible with macOS, you cannot select iPhone from the device family selector.
Additionally, selecting or excluding a specific device family will change the assignment rules available to you. For example, removing Mac would disable the macOS option within the OS Version rule.
Library Item Support
The following library items currently support assignment rules:
Auto Apps | Energy Saver | Restrictions |
App Store apps | FileVault | Screensaver |
Airplay Security | Firewall | Single Sign-On Extension |
AirPrint | Gatekeeper | Software Update |
App Lock | Kernel Extension | SSH |
App Store | Login & Background Items | System Extension |
Certificate | Login Window | System Preferences Panes |
Conference Room Display | Managed Data Flow | VPN |
Custom App | Media Access | Wi-Fi |
Custom Script | Passcode | |
Custom Printer | Privacy | |
Custom Profile | Recovery Password |