Manage Devices by Who’s Using Them — Not by Serial Number: Announcing Public Beta

Your identity provider (IdP) knows everything about your organization: every department, role, and group membership. Updates happen in real time as people join, switch teams, or leave.

Your Apple MDM knows everything about your devices: every Mac, iPhone, and iPad. What software is installed, what settings are applied, what policies are enforced and more. But those two systems need to talk to one another to enable true zero-touch onboarding, role-based changes, and offboarding.

When a new engineer starts on Monday, you don’t want to be assigning their Mac to the right policy, making sure Xcode and Docker get installed, or configuring access levels all by hand. Because if that engineer moves teams or leaves six months later? You may be doing it all over again.

This is the daily reality for IT teams or MSPs managing hundreds or thousands of Apple devices. The information exists, but the automation didn’t – until now.

Hello. Hello. Today, we’re gonna go over end user management. There’s really four core features that are in the early access here. You’re gonna have your SCIM integration with Okta and Microsoft Entra, or really any IDP that supports SCIM that’s gonna wire up all the users into Addigy. You’re gonna be able to see all those users and their groups inside of here. You’re gonna be able to assign those users to their devices. It’s gonna make the asset tracking very easy. And then if your technicians need to find the device, you’re going to be able to search for that device by searching for the user who submitted the ticket or who’s having the issue. This is going be more of a technical walkthrough. We’re just gonna go through setting up Okta and Entra ID inside of Addigy using the new end user management feature. You will see end users on the left hand side here. First step is really just press setup and user management. This is gonna generate your SCIM URL and your SCIM token. This is gonna be important because this is what we’re gonna pass over to the IDPs so they know where to send that user data. So let’s go through a Entra ID setup here. Alright. Cool. Now that we’re in, the first step is gonna be to create a new enterprise app. So we could just search enterprise applications. From here, we’re going to create a new application, and then we’re gonna get and press create your own application here. We’ll just call this end users and demo. Integrate in an application. Open a gallery. Yep. We’ll make it a non gallery app and then create. This built out, we’re gonna look for provisioning. And go ahead and press on that. Connect your application. Now this is where the URL and token from Addigy comes into play. So we’ll do bear authentication. We’ll grab our SCIM URL, paste that here. I will grab our SCIM token as well. Put that right here, and then we’ll get to test the connection. Everything looks good. Awesome. Let’s go ahead and create that. What this is doing is that it’s tying together, our IDP. So Entra, in this case, into Addigy. And it looks like that’s all set up. So the next step, now that we have those two things wired together, we actually need to add users, to the connection, Let’s verify that our mappings are good. It’s gonna sync users, and it’s gonna sync groups. Perfect. Now let’s head over to using groups. We don’t have anything there. But if we jump back into Addigy here, we pop into the screen, you see there’s no users. So let’s go ahead and add some users in there. I’ll go ahead and find myself, Joelle. Select. Assign. Cool. So that’s been added. This does take a while sometimes to kinda sync over the data. It won’t show right away, But there is a way to accelerate this. So there we go. Provision on demand. We’ll search for Joel, which I already have assigned. And then from here, we’ll get a provision. And that should push the user over to Addigy right away. There you go. Perfect. Now if we go back over here, we’ll see that that user is now, synced over into Addigy. Now, ideally, you’re gonna wanna push over groups of users, not just one user. So in this case, we’ll just add the whole Addigy group, which basically has every user in the company, but we could add, you know, identity testers, IMS security group, others as well. We jump into here. Nope. Not yet. But it did push the group. It’s just hasn’t pushed the users yet. Now this stuff usually takes about thirty minutes for Entra to push over everybody, but that’s how you would go about setting this up with Entra ID. From here, I could jump into the specific users. I could assign devices to them. This is the manual way to do it. We also have a bulk upload. So if you wanna upload a CSV with the username and the serial number, you’re gonna be able to do that as well. Some people already have this information in their systems, so it’s helpful. And then we also have automate automated ways to do this as well. So if you go into your ADE settings and you scroll down to the enrollment SSO, there’s gonna be this toggle sync device user with SSO enrollment. If you turn that on, every time a device goes through ADE and through the SSO enrollment process, their user will be automatically synced to their device. So this is really good for asset tracking for organizations. That’s the gist of what we have in the early access. Coming very soon here, we’re gonna be able to use the user attributes as part of the policy auto assignment. So that’s gonna allow you to build powerful automations for for management as well.

Introducing End User Management

The Real Cost of Manual Apple MDM

The numbers tell the story. Across hundreds of IT organizations, support tickets related to device naming, user-to-device mapping, and manual policy assignment pile up. Onboarding and offboarding workflows alone generate tickets that take an average of 25 days to resolve—not because the work is hard, but because it’s manual, repetitive, and easy to forget.

One IT admin put it bluntly: “We have to treat the email, write it in the device, in a file, collect it with custom data fields, push it through the system… all that just to collect an email address.”

Another admin described managing 340 iPads—every single one named iPad in the console—with no way to tell which belonged to whom without physically checking each device.

These aren’t edge cases. They’re the norm.MSPs and IT teams have built fragile workarounds—scripts, spreadsheets, manual tagging—to connect people to devices. And every workaround breaks the moment someone forgets to update it.

Introducing End User Management for Zero-Touch Apple MDM in Addigy

End User Management or ‘user based policy assignments’ connect your identity provider to Addigy so Apple MDM automation can happen without manual intervention. Connect Okta or Microsoft Entra ID via SCIM. Your users, groups, and attributes sync into Addigy. Map users to their devices. Then create policies that apply automatically—so deployments, access changes, and security actions don’t depend on someone remembering to file (or work) another ticket.

When attributes change in your IdP, device configurations update to match. No manual intervention. No tickets. No lag.

End User Management is now available as a public beta open to all Addigy customers on every plan. 

How End User Device Management Works

1. Connect your identity provider
   Addigy integrates with Okta and Microsoft Entra ID via SCIM—the industry standard for identity provisioning. Once connected, your users and groups sync automatically. Your IdP remains the single source of truth. Addigy listens and acts.
2. Map users to devices
   Know exactly which user owns which device. Assignment can happen automatically through Addigy Identity or Enrollment SSO when users authenticate. Or assign manually, or upload a CSV for bulk assignment of existing fleets. Need to find a user’s devices? Search by name or email and instantly see every Mac, iPhone, and iPad they’re using.
   
3. Define policies that power zero-touch
   This is where the paradigm shifts. In Flex Policies, create conditions based on user attributes from your IdP: Department, group membership, role, and more. When someone logs into a device, Addigy evaluates who they are and applies the right policies automatically. When their attributes change in your IdP, their device configuration updates automatically—without rework.
   
4. Audit everything
   Every attribute-driven policy change is logged. You can see exactly why a policy was applied to a device, when the last sync occurred, and what changed—creating a clear audit trail for compliance and troubleshooting.
   

What This Means for Your Team

True zero-touch onboarding 
A new hire unboxes their Mac, walks through Setup Assistant, and authenticates. Based on their department and role in your IdP, they automatically receive the right software, settings, and access levels. By the time they reach the desktop, they’re ready to work. 
You don’t need to touch a thing.

Automatic offboarding 
When HR disables an account in your IdP, Addigy sees it. Policies can automatically revoke access, enable Lost Mode, or trigger your offboarding workflow. No more discovering weeks later that a departed employee’s laptop still has full access to everything.

Role changes that just work 
Someone moves from Marketing to Sales. Their IdP group membership changes. Addigy detects it, removes the Marketing tools, and deploys the Sales stack. No ticket required. No one had to remember.

Management at the user level, not the device level
Stop thinking “these 50 Macs need this software.” Start thinking “Engineers need these tools.” The devices follow the people.

How to Get Started with End User Management for Addigy Customers

Step 1: Enable the beta
Go to End Users in your Addigy console and enable the End User Management beta toggle. 

Step 2: Connect your identity provider
Select Setup End User Management. You’ll receive a SCIM URL and Bearer Token to configure in Okta or Entra ID. 

• Setting Up End Users SCIM – Okta
• Setting Up End Users SCIM – Entra ID

Step 3: Let users sync
Once configured, your users and groups sync automatically. Timing depends on your IdP—typically within 30 minutes. 

Step 4: Assign users to devices
Enable automatic assignment through Addigy Identity or Enrollment SSO. For existing fleets, assign manually or upload a CSV. 

Step 5: Create policies for zero-touch deployment
In Flex Policies, add conditions based on user attributes (department, group membership, role, or any attribute your IdP provides). Devices move into the right policies based on who’s using them—without ongoing manual work. 

Get started with End User Management

The Bigger Picture

Apple MDM has historically been device-centric: serial numbers, hardware models, asset tags. Policies applied to machines, not the real-world workflows IT supports. 

End User Management bridges that gap so zero-touch workflows are actually possible: when someone joins, their device is ready; when they move teams, their device adapts; when they leave, their device is secured—automatically. 

Learn more about zero-touch deployment with Addigy here.