Announcing Support for New Features in macOS Big Sur

Kandji is proud to announce release day support for macOS Big Sur, which is now generally available.

Some important new MDM features are included in Apple’s latest release. Support for the following updates are already live in your Kandji accounts:

Commands that required supervision prior to macOS Big Sur
Managed Applications for macOS
Changes to the Kerberos Extension Profile
New certificate size option in the SCEP profile (4096 bits)
Auto Advance for macOS

We have also released several new features to support changes related to macOS Big Sur readiness and to improve your overall experience using Kandji:

Display Bootstrap Token escrow status
Allow standard users to complete KEXT install
Enable automatic updates for Auto Apps by default
New Agent update: Lightweight check-in, Apple Silicon support
Improved user experience for Software Update profile
Alert & Slack notification for removed MDM profile
Allow standard users to approve system-level PPPC requests
Kandji Agent last check-in column

Commands that required supervision prior to macOS Big Sur

Automated Device Enrollment (formerly DEP) used to be the only way to supervise devices. With macOS Big Sur, it's now possible through manual Device Enrollment with UAMDM status.

In Kandji, this supervision will occur under two conditions: either the Mac is enrolling for the first time, or it’s being upgraded to macOS 11.

mdm supervised status label uamdm

Commands such as the following are now available to IT admins for these devices:

Use Activation Lock bypass codes
Control over what software is updated and when
Leverage a Bootstrap Token
Use supervised payloads, restrictions, commands, and queries
Query, list, and delete local user accounts

Managed Applications for macOS

While previously only available for iOS, Managed Applications are now coming to macOS with Big Sur. Kandji now supports Managed Apps for macOS from Apps and Books with Apple Business Manager (formerly VPP).

This new functionality allows Kandji to remove apps if a macOS device is removed from MDM management, or if an app is removed from a Kandji Blueprint.

Changes to the Kerberos Extension

Additional customization is available within the Kerberos Extension UI. This includes the ability to set a custom username label that is displayed on the “Username” field, such as “Company ID.” You can also set a custom help message.

kerberos extension big sur

Admins also have more control over the initial login experience for IT administrators on macOS 11. This includes a new MDM configuration option to delay the first login prompt and a new flag on the app-SSO binary to manually trigger the initial login prompt when desired (using a script executed using the Kandji agent, for example).

kerberos extension big sur - delay

The menu on macOS will also display more detail about the state of the extension to the user. When clicked, it will provide additional information about the state of the network and credentials.

New certificate size option in the SCEP profile

A new key size, 4096 bits, is available in the Simple Certificate Enrollment Protocol (SCEP) Profile. This is the largest key size available, providing the most robust security measures.

scep profile big sur

Auto Advance for macOS

Auto Advance for Mac allows IT admins to set up Mac devices very quickly by leveraging Automated Device Enrollment (formerly DEP) and plugging a Mac into power and ethernet. Once the Mac starts, it will automatically skip all setup screens, bringing the user directly to the login page.

macos big sur auto advance

Display Bootstrap Token escrow status

We’ve written a lot about the changes to Bootstrap Token and SecureToken for devices running macOS Big Sur with Apple Silicon. MDM will require Bootstrap Token in order to approve and load KEXTs and install Software Updates. To support these changes, you can now see if Bootstrap Token is escrowed by checking the details tab within a macOS device record.

show bootstrap token status

Allow standard users to complete KEXT install

To support changes to Kernel Extensions (KEXTs) on macOS Big Sur, we support a new option on the Kernel Extension payload which allows standard users to approve a restart that rebuilds the Kernel Cache for Kernel Extensions approved by MDM.

kernel extension profile macos big sur

Enable automatic updates for App Store apps by default

In Apps and Books within the Settings section in Kandji, the option to automatically update apps is now turned on by default. This option enables Kandji to audit your App Store apps daily and update to the latest version silently. For any new App Store apps you create, automatic updates will be enabled by default.

apps and books automatically update apps

If you would like to ensure that automatic updates are enabled for your existing App Store apps, make sure the “Don’t automatically update this app” option remains unchecked, which is the default, as shown below.

macos big sur app store apps

New Agent update: Lightweight check-in, Apple Silicon support

A new version of the Kandji Agent has been released. In addition to minor bug fixes and feature enhancements, the Agent will now perform a lightweight check-in prior to its full check-in immediately following a wake from sleep, Agent update installation, network state change, and at the start of every standard check-in. This prevents unnecessary reinstalls or "Agent Missing" status.

The Kandji agent has also been recompiled to support Apple Silicon using a Universal 2 Binary.

Improved user experience for the Software Update profile

We’ve made some design updates to improve your experience when using and configuring the Software Update profile. There is a two-column layout and a simple slider to determine the amount of time to defer software updates.

software update redesign

Alert & Slack notification for removed MDM profile

Admins can now be proactively alerted when an MDM profile is removed from a device locally. Notifications will be displayed in the Alerts section and can also be configured to send as a Slack notification.

alerts for removed MDM profile

alerts for removed MDM profile slack

Allow standard users to approve system-level PPPC requests

A few weeks ago, we wrote a blog post all about changes to PPPC in macOS Big Sur. In summary, with macOS Big Sur, standard users are prevented from approving applications for certain sensitive system-level PPPC controls, Screen Recording and Input Monitoring, which was not the case for macOS Catalina.

updates to pppc big sur-2

We’re excited to announce that Kandji now supports these changes, which allows admins to use MDM and the PPPC profile to allow standard macOS users to approve defined applications for Screen Capture and Input Monitoring on macOS Big Sur.

For more information, visit the Create a Privacy Preferences Policy Control (PPPC) Profile knowledge base article.

Kandji Agent last check-in column

In the Devices section, you can show and hide columns for device facts that are relevant to you. We’ve added a new option in the column chooser called “Agent last checked in” to show the timestamp of the last time the Kandji Agent checked in for a device.

new agent last checked in

With innovation and iteration at the core of everything we do, we’re constantly building solutions to give you more of what you need and improve upon features you already love. With Kandji, you can be confident that your Apple fleet is in safe and secure hands from deployment to retirement.