The Future of Scoping: Assignment Maps Explained

Kandji’s latest Demo Day focused on Assignment Maps, a different approach to Blueprints, which make it easier to assign apps, configurations, and settings to your Apple devices. In this article, we’ll review topics covered in the Demo Day, including what Assignment Maps are, how to build them, and how they work. At the close, we’ll highlight questions and answers from our expert team provided during the live Q&A.

You can also watch the full Demo Day recording here:

What Are Assignment Maps?

Assignment Maps are a visual, logic-based way to automate and precisely control the assignment of apps and configurations to Apple devices by department, user, or other attributes. First launched in 2024, Assignment Maps are a significant step forward in intuitive, scalable device management and security.

If you’re a current Kandji user, you can think of Assignment Maps as an evolution of our classic Blueprint functionality. For those unfamiliar with Blueprints in Kandji, Assignment Maps replace the confusing and time consuming task of managing deployment settings based on complicated rules and manual settings. Additionally, they ​​offer a fine-tuned level of control and flexibility without the associated chaos that often comes with scoping configurations to devices.

Before we dive into specific features, here are a few important terms and definitions to help you understand how Assignment Maps work in Kandji:

• Library Items (e.g., apps, scripts, settings, etc.) are curated in a central library and can be flexibly assigned via Blueprints or Assignment Maps
• Blueprints are collections of configurations, parameters, and Library Items that can be assigned to groups of devices. Multiple Blueprints can be created for different roles, departments, or locations, providing precise control over device management
• Assignment Maps are a newer, more visual and interactive type of Blueprint. They allow admins to define deployment logic using conditional nodes based on user or device attributes. This offers highly granular, adaptable deployments and supports nested rules, reusable items, and automated conflict resolution

Overall, Assignment Maps enable greater control and ease-of-use with less opportunity for confusion and technical complications.

Key Features of Assignment Maps 

Instead of organizing devices into static groups and manually assigning settings, you can use conditions like device type, department, or specific user information to control which apps and settings are applied. Assignment Maps then automatically match devices to the right configurations based on those conditions.

Plus, everything happens on a visual canvas that expands as needed - no limits. You can drag and drop apps, create branching rules, and see at a glance how assignments are structured. The visual layout helps you quickly understand how configurations are applied and why a certain device is receiving a particular setting.

Features

• Visual mapping: start from scratch or use a Blueprint template. Then use the canvas to add Library Items, configure apps, and assign across your fleet, down to a specific user. Customize as needed.
• Conditional logic: create clear if/then rules based on device type, department, job title, OS version, and more. Typically, maps are built to be general (i.e., widely applicable) on the left side of the canvas and get more granular as you build logic to the right. To prevent conflicts and access issues, and in the case of a conflict, devices will inherit the settings furthest to the right within the Assignment Map.
• Real-time device lookup: quickly and easily track any device through your Assignment Map to understand its configuration logic. Looking up a device within an Assignment Map will tell you why a specific device did or did not qualify for a particular assignment.
• Built-in security: get prompted with visual indicators and messages about conflicting settings when multiple rules apply to the same device. Rapidly audit your assignment logic to understand why controls and access were configured.

How do Assignment Maps Compare to Existing Solutions?

Traditional solutions rely on highly technical, manual configurations that increase the mental burden on admins and drain valuable team resources. This approach wrongly equates complexity with sophistication and security.

At Kandji, we believe you shouldn’t have to choose between control and clarity. Our platform is designed to support complex, granular scoping needs—without the chaos and friction that typically come with that complexity.

That’s what makes Kandji intuitive. It empowers teams to move faster, reduce mistakes, and maintain strong security—all while managing advanced workflows with confidence.

This becomes especially clear in an apples-to-apples comparison between Assignment Maps and traditional options.

Assignment Maps provide a dynamic, visual, and flexible approach to assigning applications and configurations compared to the traditional group or policy-based methods found in most Apple admin tools. Assignment Maps allow for complex, conditional logic based on real-time user and device data, reducing manual group management and potential assignment conflicts. For admins this is a clear win when compared to less intuitive logic modeling and more manual oversight for complex deployments.

Creating an Assignment Map in Kandji

Assignment Map creation can be as fast as a few clicks if you’re using a Blueprint template, or more detailed depending on the level of logic, Library Items, settings, and customization you need to apply. During our recent Demo Day webinar, Senior Enterprise Solutions Engineer Brian Van Peski walked through how to build an Assignment Map using the process outlined below:

1. Start from scratch, or use a template to get going quickly.

2. Add additional applications, configurations, and scripts.

3. Create logic for specific scoping needs, whether by department, job title, or individual serial number.

4. Use device lookup to check your logic or for troubleshooting.

Assignment Maps Demo Q&A

• Q: Should I create one master Blueprint with logic covering all departments and devices, or create separate Blueprints for distinct groupings like department or device type?
  • A: Ultimately, this is up to you. You can have as many or as little Blueprints as you want or need. Many start with one Blueprint and customize the Assignment Map to fit their needs, and create new Blueprints if they feel it's necessary.
• Q: Can a tag be assigned to a machine before it goes through auto enrollment?
  • A: Asset Tags can be assigned to devices pre-enrollment, but Device Tags can only be applied to a device once it is enrolled.
• Q: Is there a matrix or chart of all the items included in Blueprint templates?
  • A: Yes, your CSM contact or customer support is a good resource for these materials. 
• Q: Let’s suppose a junior developer required the same tool as a senior developer. Can you accommodate that need without making changes in the assignment mapping?
  • A: Depending on your logic, you can add that user or device manually or tag them to change their access.
• Q: In case of lift off, when do group IdP tags take effect?
  • A: That depends on when a user is assigned to a device. There are a few methods of doing this: manually in the Enrollment section of the Kanji web app, or automatically by requiring authentication during automated device enrollment. 
• Q: What’s the best way to migrate from classic blueprints to assignment maps?
  • A: Build your assignment map to match the logic you want, then test with a device that’s not in a classic Blueprint. After testing, assign devices and ensure it’s working smoothly. There will be additional resources to support this migration. If you have a classic Blueprint today that’s complex, you can filter Library Items that were previously in a Blueprint to make migration faster. 
• Q: If there’s deprecation of Blueprints, will support and notifications be provided?
  • A: Yes.
• Q: Can device tags be the result of a script run on a device?
  • A: Yes, you can tag a device with scripts run via API. 
• Q: At what interval does Kandji synchronize groups from Google Workspace?
  • A: Every 4 hours.
• Q: Is there a deadline to complete the migration to assignment maps?
  • A: Classic Blueprints will be End of Life by the end of 2025.
• Q: If I’m a new user, is it best to ignore classic Blueprints altogether?
  • A: Yes, in fact Assignment Maps are the ONLY type of Blueprint you can create in new tenants.
• Q: Can you explain the difference between parameters and library items? Can I alter parameters within the assignment map also?
  • A: Parameters are toggled on or off, you can’t modify them. Library items are much more sophisticated with criteria, variables, timeframes.
•  Q: How can I have a VPN available in Self Service instead of deploying to everyone?
  • A: If the VPN is on our AutoApps list, you can deploy your VPN app using the Self-service option. If not available in Auto-Apps, you can use our custom app library item to deploy your VPN to self-service.
• Q: Is there an OR/AND condition too?
  • A: Yes, based on the criteria used various logical operators are available.
• Q: Any limit on the nested logic?
  • A: No. You can branch off as many times as needed.

Learn More About Assignment Maps

Assignment Maps make device configuration in Kandji more flexible, visual, secure, and easier to manage. If you want to dive deeper into what Assignment Maps offer, check out the following resources:

• Watch the full Assignment Maps Demo Day
• Explore Assignment Maps in our knowledge base

What’s next? If you’re interested in learning more about Kandji, consider starting a free trial or joining a future Demo Day for a hands-on learning experience with peers.