Skip to content
assignment maps: the revolutionary new way to manage apple devices
Blog Product Update Assignment...

Assignment Maps: The Revolutionary New Way to Manage Apple Devices

Mike Boylan Mike Boylan
Staff Product Manager at Kandji
13 min read

Today, Kandji is excited to introduce Assignment Maps—an entirely new way to manage and secure fleets of Apple devices. They're highly visual, highly flexible, and will give admins incredible control over how the Apple devices they manage are configured, without clutter or confusion.

In the words of one early tester, “Wow! This is exactly what we’ve been waiting for.”

Assignment Maps: Setting the Scene

First, let’s take a step back and look at what it was like to assign configurations to managed devices in the past.

Typically, device management solutions required IT teams to make those assignments by applying rules to groups. While this approach allowed for infinite granularity, it also created some pretty big challenges.

Specifically, it was all too easy to assign conflicting settings to devices that belonged to overlapping groups. This required complicated troubleshooting. It could also be hard to know why one device got the right set of configurations, but another didn’t. Admins would have to dig through a tangle of rules and groups to solve that problem—time they could have been spending on more meaningful work. 

Kandji and Blueprints

We wanted something better. 

That’s why Kandji was built around the core concept of Blueprints. Blueprints provide a straightforward way to achieve the desired state for your Apple fleet: They define how configurations, settings, policies, and apps—in the form of Library Items—are scoped to devices. 

The beauty of Blueprints is that they’re definitive: Any device that’s assigned to a given Blueprint will get all of the Library Items that are in it (and that are appropriate to its device type). There is no ambiguity about which configurations they will receive; the Blueprint acts as a manifest. 

Over time, the need for additional flexibility in scoping led us to introduce Assignment Rules, which can be added to Library Items to determine whether or not they will be assigned to a specific group of devices. This made Blueprints more granular. 

But as time went on, we wondered whether we could add even more granularity—which is necessary when scoping at scale—without losing the intuitiveness and clarity that made Blueprints so great. And could we do that without creating the kind of tangled mess we’d seen in other solutions?

That’s what led us to Assignment Maps—a highly evolved, entirely new kind of Blueprint.

How Assignment Maps Work

Like the original Blueprints (which we now call “Classic Blueprints”), Assignment Maps contain Library Items, which define the configurations (settings, apps, and so on) that will be applied to devices. As with Classic Blueprints, a device can belong to only one map at a time, and only the Library Items included on that map can be installed on that device. But there are some really important differences between Assignment Maps and Classic Blueprints.

In the Classic Blueprints model, you might create one Blueprint for your Sales team and a separate one for R&D. Those two Blueprints might have many Library Items in common, but you’d still have two separate Blueprints scoped to two different groups.

With Assignment Maps, you can configure every Apple device in your organization with just one map. That map would essentially say, “Deploy X set of apps and settings to everyone in the organization. In addition, deploy Y apps and settings to everyone in the Sales department, and Z apps and settings to everyone in R&D.”

map_sThe keys to that mapping model are what we call “conditional blocks,” which contain if/else logic in the form of one or more “assignment nodes”:

conditional node_sYou put Library Items in those nodes, which are then assigned to devices that meet the nodes’ criteria. Here’s how that works in practice:

Devices are evaluated left to right through the map’s logic to see if they match the rules you set. If they do, they will get the settings and apps you’ve assigned in those nodes. 

Assignment Maps make it easy to scope configurations by user locations, departments, or even device-specific identifiers such as asset tags. Ultimately, you can group Library Items and segment deployments any way you like; Assignment Maps provide near-infinite possibilities. 

One of the other customers who took part in our early-access program (and who manages some 3,000 Mac computers) told us, “As soon as we saw what Assignment Maps could do, there was just pure excitement.”

“It not only fit our existing use case, but it also opened an opportunity to make more granular changes and decisions than we had even thought of.” 

Assignment Maps: Scoping Without Conflicts

One benefit over Classic Blueprints is that a single Library Item can be reused multiple times on the same map, even with different rules applied. So, for example, if an app is needed in North America for Sales but also in APAC for Marketing, the app can be assigned to both places on the map. 

But, you might ask, couldn’t that reusability lead to conflicts on a device? What if you assign a configuration in one part of the map that conflicts with a configuration you’ve assigned somewhere else? Assignment Maps have conflict resolution built-in, so even if a device is assigned multiple conflicting configurations, the map resolves the conflict before it ever impacts the device.

conflicts_sKandji Senior Product Designer Rachel Rochin explains how that works:

Assignment Maps resolve conflicts through a system of inherent priority: As a best practice, we recommend building maps from more general categories on the left to more specific ones on the right. The Library Item farthest to the right on a map takes priority over a conflicting one to the left. That system, plus the fact that a device can be assigned to only one map at a time and the first-match nature of the if/else logic, means conflicts can’t happen.

Visibility and Troubleshooting

Another big design goal for Assignment Maps was to make it easier for admins to test and troubleshoot, so there would never be a question about why or how a device got a particular configuration or app. With the rules-and-groups approaches that some solutions take, it can be difficult to see which settings a given device should get, because it may belong to overlapping groups. 

Assignment Maps have a lookup feature that shows how a given device progressed through the map’s logic and, thus, which Library Items it received.

device lookup_sRachel Rochin shows how this works in practice:

As yet another early tester told us, “When you’re troubleshooting a device, and you don't know why it doesn't have what it should have, the Assignment Map shows the path it's taking.”

“Yesterday, somebody mentioned that something might be missing from our image. I opened up the map, did a quick scan, and determined, Yeah, it's missing. It took me two seconds to add the Library Item and drop it in there. And just like that, it remediated all those devices.”

Assignment Maps: The New Way

Assignment Maps are the result of years of customer feedback and many months of development at Kandji. We can’t wait to see how our customers use them to manage their own specific deployments. We’re confident the new level of flexibility that Assignment Maps afford will unlock some incredible flexibility for organizations—from large enterprises to small and medium businesses—that manage their devices with Kandji. 

As always, we’re thrilled that customers will be freed up for more important work as they streamline their device management with Kandji.

Existing customers can begin using Assignment Maps today. Additional information and considerations for moving to Assignment Maps can be found in our Knowledge Base.

And we aren’t done: We’re already at work on some really useful additions beyond Assignment Maps. Later this summer, we’ll be adding the ability to dynamically assign devices to a specific map or Classic Blueprint when it enrolls in Kandji, based on conditions you specify. And soon, we’re also adding a new way to group devices in Kandji directly with “tags”, allowing you to be even more targeted with your mapping. Stay tuned!

About Kandji

Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.