MDM-Driven Assignee Updates

Overview

By default, allwhere is the source of truth for the assignee on existing assets — MDM sync updates hardware specifications but does not change who a device is assigned to. The Allow MDM to update allwhere assignee setting lets you opt in to MDM-driven assignee updates on a per-connection basis, so that allwhere stays in sync with device handoffs you record in your MDM.

This setting is available for all three supported MDM integrations: Iru (Kandji), Jamf, and Microsoft Intune. It works identically across all three.

Key concepts

• Per-connection setting — the opt-in is configured separately for each MDM connection, not per-asset
• Default OFF — you must explicitly enable the setting
• Status-guarded — MDM-driven assignee writes only apply to assets in Allocated or Transferred status. Assets in inventory, pending, locked, or terminal statuses are always protected
• One-way sync — MDM updates flow into allwhere; allwhere never pushes assignee changes back to your MDM

How to enable

During initial MDM connection setup (Connect page)

When connecting a new MDM integration, you will see a checkbox labeled "Allow MDM to update allwhere assignee" on the Connect page. Check the box before completing the connection to enable the feature from the first sync. The checkbox is unchecked by default.

After connection (Settings page)

You can enable or disable the setting at any time from the MDM Settings page:

1. Navigate to Integrations from the avatar menu
2. Open the Settings page for your connected MDM (Iru/Kandji, Jamf, or Intune)
3. Toggle the "Allow MDM to update allwhere assignee" checkbox
4. A confirmation dialog will appear describing the effect of the change — confirm to save

The new setting takes effect on the next sync cycle. It does not retroactively apply to past MDM observations.

What happens when the setting is ON

Assignee updates

During each daily MDM sync, allwhere compares the MDM-observed assignee with the current allwhere assignee for each asset. If they differ and the asset is in an eligible status:

• Assignee changes — if MDM shows a different person than allwhere, the allwhere assignee is updated to match MDM
• Assignee removal — if MDM shows no assignee and allwhere has one, the allwhere assignee is cleared
• No change — if MDM and allwhere already agree, no write occurs

Lifecycle-end detection (device wipe / un-enrollment / removal)

When a device disappears from your MDM (e.g., it was wiped, un-enrolled, or removed), allwhere detects this at the end of each successful sync run. If the asset is currently in Allocated status:

• The asset status transitions from Allocated → Transferred
• The assignee is cleared
• The MDM identifier (Kandji ID / Jamf ID / Intune ID) is cleared

This reflects that the device is no longer linked to a live MDM device record and is back under organizational control. The asset remains visible on the main Asset Inventory page but will no longer appear on the MDM-specific Integrations tab until the device is re-enrolled.

Assets in any status other than Allocated are not affected by lifecycle-end detection.

Re-enrollment recovery

If a device that was previously lifecycle-ended (now in Transferred status with no MDM identifier) re-appears in your MDM — for example, after being wiped and re-deployed to a new employee — allwhere automatically recovers:

• The asset status transitions from Transferred → Allocated
• A new MDM identifier is written
• If MDM shows a new assignee, that person is set as the allwhere assignee

This completes the full wipe → return → re-deploy lifecycle without manual intervention.

What happens when the setting is OFF (default)

When the setting is OFF, the sync behaves exactly as it always has:

• Hardware specifications (model, serial number, OS, etc.) are still synced from MDM
• New assets created from MDM will still have the MDM-observed assignee written during initial creation
• If an existing asset has no assignee and MDM provides one, the assignee is still written (first-write behavior)
• Existing non-null assignees are never overwritten or cleared by MDM
• Lifecycle-end detection and re-enrollment recovery are not triggered

Status protection

MDM-driven assignee writes are only permitted when the asset is in one of these statuses:

• Allocated
• Transferred

Assets in all other statuses are protected. This includes inventory statuses (In Inventory, Pending Allocation, Pending Receipt, etc.), locked statuses (Activation Locked, BIOS Locked, MDM Locked, Recovery Locked), terminal statuses (Donated, Recycled, Sold, Lost), and operational statuses (HOLD, Intake, Warehouse Transfer, etc.).

If an asset is in a protected status, the MDM-driven assignee write is silently skipped — no error is displayed.

Active order precedence

If an asset has an active outbound order (such as a retrieval or deployment order in progress), both lifecycle-end detection and re-enrollment recovery are skipped for that asset. Order-driven status transitions always take precedence over MDM-driven lifecycle transitions.

Frequently asked questions

Does enabling this setting trigger an immediate sync?

No. The setting takes effect on the next regularly scheduled daily sync. You can use the "Sync Now" button to trigger an immediate sync if needed.

Will enabling the setting retroactively apply past MDM assignee data?

No. Only future sync cycles will evaluate and apply assignee changes. Historical MDM observations are not backfilled.

What if MDM shows an assignee that doesn't exist in allwhere?

The existing MDM sync behavior applies — if the MDM-observed assignee can be resolved to an allwhere user by email address, the match is made. If not, the existing sync handling for unmatched users applies.

Can I enable this for one MDM connection but not another?

Yes. The setting is per-connection. If you have both Kandji and Intune connected, you can enable MDM-driven assignee updates on one and leave the other off.

What if someone manually changes the assignee in allwhere while MDM-driven updates are enabled?

The last write wins. If you manually assign a device in allwhere and the next MDM sync shows a different assignee, MDM will overwrite it (since the setting is ON). If you need allwhere to remain authoritative for a specific device, the device's status or the connection-level setting is your control mechanism.

What happens if I turn the setting OFF after it was ON?

Future syncs will stop overwriting or clearing assignees. Assignee changes that already occurred while the setting was ON are not reverted — they follow normal allwhere edit paths from that point forward.

Related articles

• Integration with Iru (Kandji)
• Integration with Jamf Pro
• Integration with Intune
• Iru (Kandji): How to connect to allwhere
• How to connect Jamf and allwhere
• How to connect with Intune