The basic question is: how are you grouping and organizing your devices, and how do you keep them separated?
Historically, we have used Pre-Stage Enrollment as the starting point for grouping everyone. We are also an Active Directory school. So I started using Departments as a way of organizing various grade levels and relying on that to scope configs and apps....The difficulty comes when you have a multi-user device such as a computer that controls our theater booth or a shared mac mini that lives in a classroom used by many teachers. If I tie the device to the theater teacher, that device will receive all sorts of configurations that are meant for that individual user and I would have to remember to put exclusions all over the place.
The reason I have wanted to get away from Pre-Stage enrollment scoping is that I find it unreliable. For example, one day, we had a certificate suddenly expire and despite the fact that the devices are supposed to automatically recieve the renewal if they are on, we had many that didn't which meant they had to be re-enrolled, which would mean the device would have to be either wiped or re-enrolled using User-Initiated Enrollement...obviously this removes it from the Pre-Stage group that the device belonged to and creates a cascading number of configs and apps to fall out of scope. What a nightmare.
I had the idea to create generic users that have speicifc departments so I could use that to assign, but we don't like the fact that there would be generic AD accounts floating around out there and the security audit team does not like this idea at all. What do you all do?
We use smart groups based on device names in our district. The device names for 1:1 devices have the student/teacher username in them and their grad year. Devices assigned to a building/room or special purpose also have their own naming convention. Then we build smartgroups based on criteria like grad year, building, room, ect and the smartgroups are scoped to apps, policies, and config profiles. We use a single pre-stage for all our devices and set it to auto-assign newly enrolled devices. For the most part it's all automated now. You image/erase/setup and name a device. Update the inventory, or just wait a bit, and it'll get all the apps, config profiles, ect. passed down to it shortly after. Below is a brief outline of our current convention.
B – Building Code / C – Classroom Code / G – Graduation Year / R – Room Number / T – Device Type / U – Username / X – Device Number / Y – Purchase Year
Staff 1:1 Laptop:
Student 1:1 Laptop/ChromeBook/iPad:
Building Assigned iPad: