Device Assignment & User Authentication

Purpose

When enrolling devices into Mosyle Education, there are three models of assignment to choose from:

• Limbo: When enrolling a device into a Limbo state, the device is neither assigned to a User or a Shared Device Group. This allows for the device to potentially belong to all locations or no locations for purposes of receiving more generalized Management Profiles.
• 1:1: This option indicates the device will be enrolled and assigned to an individual end-user.
• Shared: When enrolling devices as Shared devices, they can be grouped together in Shared Device Groups. This is an easy way to organize a static group of devices. For iOS/iPadOS devices that will be designated as Shared, they can be either Mosyle Shared or Apple Shared iPad devices.

In order to scope configurations and profiles based on users or device groups, the Users and/or Shared Device Groups will need to be registered in Mosyle and devices will need to be assigned to their corresponding user or group. Device Assignment can be accomplished in multiple different ways using Mosyle MDM.

The ideal workflow when using Mosyle MDM is to automate the device assignment as much as possible to promote a hands-off deployment.

When a device isn't assigned to a specific user or shared device group, it is displayed as a “Limbo” device in Mosyle. Limbo devices can be configured by assigning configurations and profiles to all current and future devices and/or Limbo devices, rather than the user or shared device group.

Notes:

• Apple TVs are always enrolled as Limbo devices. For these devices, profiles and configurations will need to be assigned based on the device or dynamic device group.
• Devices enrolled using User Enrollment will be automatically assigned to the user based on the Managed Apple ID used to complete the enrollment.

Assigning Devices to Users

Configure Device Assignment Settings by going to My School > Users > Device Assignment. Here you can choose from the following:

• User Authentication Assignment: Configure device assignment behavior based on user authentication. Detailed information is included below.
• Random Automatic Assignment: Randomly pair an unassigned device with a selected user.
• Spreadsheet Assignment: Upload a spreadsheet with the device serial number and corresponding User ID to complete device assignment.

Devices can also be assigned to users manually at any time within the Mosyle MDM web console by viewing the Device Information or User Information.

• Device Info: When assigning a single device to a user, you can use the Device Info screen to complete the assignment. To do this, go to Management > Devices > Devices Overview > Click the device name to open the Device Info window. Next to Type, click Change and choose either 'Change to 1:1 (assign to student)', 'Change to 1:1 (assign to user)', or 'Change to shared' and select the user or Shared Device Group to assign the device. 
• User Profile: When assigning a single device to a user, you can use the User Profile screen to complete the assignment. To do this, go to My School > Users > Find and select the user > Click Assign one Device > Select the device. 

User Authentication Assignment

By default, when a user authenticates on a device, the device will be assigned to the user and remove the assignment of any other device of the same OS from the user. Administrators can modify or adjust this behavior within the User Authentication Assignment settings under My School > Users > Device Assignment.

The User Authentication Assignment settings offers three main options:

• Only auto-assign devices not already assigned to a user: This option will ensure that a user is assigned to the device in Mosyle when authenticating via the specified method ONLY if the device was not already assigned to a user. If the device was already assigned and another user logs in, the device will remain assigned to the original user.
• Auto-assign the device to the user: This option will ensure that a user is assigned to the device in Mosyle when authenticating via the specified method. Devices that are already assigned will change assignment when the new user authenticates and devices not already assigned will be assigned. When this option is configured, the assignment can be removed when a user logs out of the application.
• Do NOT auto-assign the device to the user: This option will prevent users from being assigned to a device when authenticating via the specified method.

Devices assigned to Shared Device Groups will never automatically be converted to 1:1 devices. When a user authenticates on a Shared Device, it will remain shared but will reflect the current user logged in so that any/all profiles assigned to the user can be applied.

Assignment Methods

Methods for assigning devices to end users via authentication include the following:

• Personalized enrollment URL: When devices are enrolled manually using the Safari URL, users can use their own personalized enrollment URL to complete the enrollment and assignment of the device. Find the user's enrollment URL under My School > Users > Click the User to view the enrollment URL.
• Mosyle app login: Users can login to the Mosyle Manager app with their Mosyle access code, User ID, email address, or Single Sign-On credentials to complete the device assignment. To allow users to login to the Mosyle Manager app with their Single Sign-On credentials, configure Single Sign-On for the iOS/iPadOS and macOS apps under My School > Preferences > Single Sign-On./li>
• SSO Authentication during Automated Device Enrollment: Users can authenticate with their Single Sign-On credentials within the Custom Setup Assistant to complete the device assignment.
• Mac user account login: Users can login to their local user account on the Mac to complete device assignment if the local user account name is the same as their User ID in Mosyle.
• Mosyle Auth: Users can login to the Mac using their SSO credentials via Mosyle Auth to complete the device assignment.

In most cases, user authentication with their school or district Single Sign-On credentials is the preferred method due to the user familiarity with the credentials and ability to automate the assignment flow. Three frequently used methods for assigning devices to users are described below.

Completing Device Assignment during Automated Device Enrollment (iOS/iPadOS & macOS)

The Custom Setup Assistant is available within the Automated Device Enrollment profile which allows Administrators to prompt users during the enrollment to authenticate with either their Mosyle access code or their Single Sign-On credentials (Google, Azure, AD FS, or Active Directory). My School > Apple Basic Setup > Enrollment > Automated Device Enrollment > Customize Setup Assistant > Mosyle User Authentication or Single Sign-On Authentication. This option is available for both iOS/iPadOS and macOS devices allowing the enrollment flow to be consistent across all devices.

Configuring this option, users will be prompted to authenticate during the Automated Device Enrollment which will complete the device assignment. In order to complete the device assignment, the users must be imported and registered in Mosyle with the email address used to authenticate. This method of authentication and device assignment brings multiple benefits:

• Enrollment security considering only users within the Mosyle account will be able to successfully authenticate;
• Ability to rename devices during enrollment based on user information;
• Ability to pre-assign profiles and configurations to specific users, grade levels, or courses/classes which will be installed immediately upon enrollment;
• Ability to pre-fill local user account information on the Mac;
• Hands-off approach to device enrollment and assignment.

Completing Device Assignment using the Mosyle Manager app (iOS/iPadOS & macOS)

If the enrollment will be completed by the IT department, or use of the Custom Setup Assistant is not possible within the school or district, user authentication through the Mosyle application can complete the device assignment. With this method, the device will be enrolled and remain in limbo until a user logs in to the Mosyle Manager app to complete the device assignment.

By default, the Mosyle Manager application accepts login using the user's Mosyle access code, User ID, or email address. Admin users and Teachers will be required to enter their Mosyle password. Students and Staff users aren't required to have a password unless Single Sign-On authentication is configured.

Administrators can configure the Mosyle Manager application to accept login using Single Sign-On credentials such as Google, Azure, AD FS, or Active Directory by configuring the Single Sign-On profile under My School > Preferences > Single Sign-On > Login on Mosyle iOS app and/or Login on Mosyle macOS app.

Completing Device Assignment during macOS login

On Mac computers, device assignment can be completed based on the user logging in on the device.

Mac user account login

When users login on the Mac, so long as the account name matches the User ID in Mosyle the device will be assigned to the user upon logging in on the Mac.

This assignment option can be used for devices that have been enrolled via Automated Device Enrollment or manually. When enrolled via Automated Device Enrollment, the user can be prompted to create the local user account with their User ID during the Setup Assistant and upon logging in, the device will be assigned to the user. If using the Terminal command to enroll via Automated Device Enrollment or manually enrolling a device, when logging in with an account on the Mac be sure the account name matches a User ID in Mosyle to complete the device assignment.

Mosyle Auth

Users logging into the Mac using Mosyle Auth will automatically complete the device assignment (depending on Device Assignment settings). This assignment option is useful for devices enrolled via Automated Device Enrollment where the local user account creation during the Setup Assistant is skipped. This way, the device will go through the enrollment and launch the Mosyle Auth login window. Upon logging in, the device will be assigned to the user.

Multiple Device Assignment

The default device assignment behavior in Mosyle follows a 1-to-1 model, therefore if the user logs in and/or is assigned to another device, they will be unassigned from the first device. However, we understand in some scenarios users may have more than 1 device assigned. Using the options and workflows listed below will ensure a previously assigned device will not be unassigned when the user authenticates on another device to complete the assignment.

The workflow used to assign multiple devices will depend on the planned deployment flow. A maximum of 10 devices per OS platform can be assigned to each user, in other words, up to 10 iOS/iPadOS and 10 macOS devices can be assigned to each user.

• Automated Device Enrollment

  If devices are enrolled using Automated Device Enrollment and users are authenticating during enrollment to complete the device assignment, multiple devices can be assigned upon enrollment by configuring the account Settings under My School > Preferences > Other Settings > General Preferences > Check the box 'Allow for multiple device assignment on enroll'.

• Device Info and/or User Profile

  Multiple devices can be assigned to a user through the Device Info screen by going to Management > Devices Overview > Click a device in Limbo to bring up the Device Info window > Next to 'Type', click Change and select 'Change to 1:1' and select the user to assign the device. If the user already has a device assigned, check the box: 'A 1:1 device is already assigned to this user. Check this box to keep the already assigned device and also assign the additional device you selected. The previous device WILL NOT be moved to Limbo.'

  Assigning multiple devices to a user can also be completed directly in the User Profile by going to My School > Users > Find and select the user > Click Assign device to this user > Select the device.

• API Integration

  The 'assign_device' operation via the API can be used to assign multiple devices to users. If a device is already assigned to the user, the device assigned using the API will be in addition to the current device. Go to My School > Integrations > Mosyle API Integration for more information and documentation.

Assigning Devices to Shared Device Groups

A Shared Device Group is a way of organizing devices into static groupings in Mosyle. After creating a Shared Device Group, you can assign profiles to all devices in the group or by selecting individual devices when needed.

If you need to create a group where devices will be entering or leaving the group based on some specific criteria, it's recommended to use Dynamic Device Groups found under the Management tab.

Assigning devices to a Shared Device Group can be completed using a few different methods in Mosyle. The method used will depend on the planned deployment flow. Methods for assigning devices to Shared Device Groups are similar to those used for 1:1 devices and are listed below.

Completing Assignment during Automated Device Enrollment

If you are enrolling devices using Automated Device Enrollment, you can complete the assignment during the enrollment using:

• Devices for Shared Device Groups: When configuring the option "Devices for Shared Device Groups" in the Automated Device Enrollment profile, you will be prompted to select the Shared Device Group the device will be enrolled to.
• Custom Setup Assistant: In the Automated Device Enrollment profile (My School > Apple Basic Setup > Enrollment > Automated Device Enrollment), you can configure the Custom Setup Assistant for devices being enrolled as Limbo to utilize the Add to Shared Device Group option. When using this option, users will be prompted to enter the Shared Device Group access code during the enrollment.

Completing Assignment using the Mosyle Manager app

End-users can complete the device assignment by entering the Shared Device Group access code or scanning the QR code in the Mosyle application. In this scenario, devices will first be enrolled into Limbo. Once enrolled, users will launch the Mosyle app and scan the QR code, or enter the 6 digit access code for the Shared Device Group to complete the assignment.

Completing Assignment in the Mosyle Web Console

Mosyle Administrator users can complete the device assignment by logging into the Mosyle console and using:

• Spreadsheet: When assigning devices in bulk to the Shared Device Groups, you can use the Spreadsheet option. Go to Spreadsheet > Download the XLSX template for Shared Device Groups. Fill out the template with the shared group info and enter the serial numbers in the last column, comma-separated. When finished, upload the spreadsheet to complete the assignment.
• Shared Device Groups: To assign devices to the group, go to My School > Hierarchy > Shared Device Groups > Click the Group > Edit > Select the devices to be added to the shared group.

Devices in Limbo

Devices in Limbo are devices that are not assigned to a User or a Shared Device Group. Devices in Limbo can be associated with all locations in the account, or specified to belong to only one location.

To configure Limbo devices to be assigned to all locations, go to My School > Preferences > Other Settings > General Preferences > Check the box "Limbo devices belong to all locations". Click Save.

To configure Limbo devices to be assigned to a specific location, you can specify the location in the Automated Device Enrollment profile, or modify the locations by going to Management > Devices Overview > Bulk by Import > Download the template for Update Location. Fill out the template and upload.

Devices can be changed to Limbo devices using the following methods:

• Deleting the user or Shared Device Group the device is assigned to;
• Management > Devices Overview > Select the devices > More dropdown: Change to Limbo;
• Management > Devices Overview > Device Info > Type: Change to limbo

Once a device is in Limbo, it can be assigned to any user or Shared Device Group as needed.

Apple Shared iPad devices cannot be changed to Limbo without erasing and re-enrolling.