Skip to content
Pricing
Book a Demo Start Free Trial
Get Started
demo day recap: automating device management & security with kandji
Blog Recent News Demo Day R...

Demo Day Recap: Automating Device Management & Security with Kandji

Kandji Team Kandji Team
30 min read

Welcome to the recap of our first Kandji Demo Day, a new series designed to go deep into the features, workflows, and security capabilities of the Kandji platform. Whether you're already a customer or just exploring Apple endpoint management solutions, this session offers a complete look at how Kandji helps automate and scale macOS and iOS management without sacrificing security or compliance. 

Kandji Demo Days are hosted by our Solutions Engineering team (not a sales team) and each session includes a full Q&A, so we encourage you to bring questions on everything from best practices to how Kandji stacks up against alternatives. 

If you prefer video, you can watch the full demo here:

 Otherwise, read on for the complete breakdown.

Kandji Demo Day Recap

Managing Apple devices at scale is time-consuming, but the right tools can eliminate busywork, help enforce security policies, and simplify ongoing maintenance. Our first Demo Day broadly covered device security and management automation within Kandji. In particular, we focused on features that can eliminate or reduce manual effort without increasing non-compliance risk across macOS and iOS devices.

Features like zero-touch deployment and Assignment Maps allow IT teams to set up devices once and apply configurations automatically based on role, department, or security requirements. Auto Apps keeps software up to date without intervention, while Prism provides deep visibility into hardware, software, and compliance status. Endpoint Detection & Response (EDR) and Vulnerability Management tools continuously monitor for security threats. Then they automatically quarantine risks or alert admins when action is needed. 

Even user authentication is streamlined with Passport, reducing friction while enforcing security policies. Every feature discussed in this session is designed to minimize the hands-on work required to maintain a secure, compliant, and fully managed Apple fleet.

Because this is a broad topic, we’ve clearly highlighted each feature in the following sections and made the full list easily scannable in the table of contents.

Table of Contents:

Device Management & Visibility

In Kandji, admins start with a clear view of all enrolled Apple devices and quick filtering based on common device attributes. For deeper insights, Prism allows custom filtering, detailed reporting, and granular visibility - from installed apps to cell service and battery health. Everything you need to track and organize devices is available in one place.

  • See all enrolled devices in one consolidated view.
  • Use filters to find key device information quickly.
  • Export information to generate reports for audits or internal tracking.

Screenshot of device management and visibility functions in Kandji

 


Apple Integrations & Enrollment Methods

Seamless device enrollment starts with Apple Business Manager (ABM) and Apple Push Notification Service (APNs), which facilitates zero-touch setup from the moment a device is powered on. For devices outside of ABM, manual enrollment provides an alternative method for enrollment. You can prepare devices for enrollment by proactively selecting blueprint and/or user assignments. Manually-enrolled users have a simple, quick process to approve Kandji management via an enrollment code. 

  • Automate enrollment and device setup for new employees.
  • Reduce IT workload with zero-touch deployment.
  • Ensure all devices remain properly linked to the MDM.

Screenshot of Apple integrations and enrollment methods in Kandji


Third-Party Integrations & Compliance

Kandji works seamlessly with tools like:

  • Okta and Google Workspace for identity management.
  • Slack and Teams for communication.
  • ServiceNow for ticketing and automation.

With our integrations, admins can sync users, enforce security policies, automate device compliance, and connect device data to other platforms View a full list of our integrations here.

Screenshot of 3rd party integrations and compliance in Kandji


Library Items & Configuration

Library items simplify macOS management. Admins can use the Managed Updates library item to enforce OS updates and push security policies in just a few clicks. Kandji provides flexible options for updates, whether they’re optional or continuously enforced.

  • Reduce security risks by enforcing OS updates.
  • Customize onboarding with automated policies.
  • Target devices for forced updates.
  • Easily see the status of any device queued up for a specific update.

A screenshot of macOS library items and configuration in Kandji


Auto Apps: Managed Application Deployment

Instead of manually handling app installations and updates, admins can rely on Auto Apps to promote compliance and eliminate potentially vulnerable apps. With over 200 popular applications available, software stays updated based on your organization’s policies and without IT intervention. Plus, custom scripts can be added for further configuration.

  • Save time by automating app updates with multiple enforcement options.
  • Release silent updates for applications not currently in use.
  • Employ automated auditing for custom apps to maintain compliance.

Screenshot of auto apps managed application deployment in Kandji


Passport: Identity Management & Login Security

Instead of juggling multiple passwords, users can log in to macOS with their existing identity provider credentials (IdP). Admins can customize the login experience with company branding and authentication options, making the process seamless.

  • Reduce password fatigue for employees.
  • Strengthen security with centralized authentication.
  • Customize login screens to align with company branding.

Screenshot of Passport identity management & login security in Kandji


iOS Configurations & Management

From app installations to home screen layouts, Kandji gives admins control over iPhones, iPads, Apple TVs, and Apple Vision Pros. Devices can be locked down to specific applications, and company branding can be applied with simple drag-and-drop functionality to ensure a professional, standardized look. Easily upload and deploy custom-built in-house apps to Kandji as needed.

  • Standardize device setups for a consistent user experience.
  • Quickly create a custom home screen for managed devices using pre-selected apps.
  • Ensure only approved apps and settings are in place.

Screenshot of iOS configurations & management in Kandji


Assignment Maps: Customizing Deployments

Blueprints determine which apps, policies, and security settings go to which users. Conditional logic makes it easy to create different configurations for various departments, teams, or user types. Need a specific app deployed to beta testers? No problem.

  • Automate deployments based on specific user roles.
  • Assignment map parameters offer further options for managing device access and maintenance (e.g., automatic restarts). 
  • For large volumes of devices, use the lookup function to define a specific assignment map.

Screenshot of assignment maps and customized deployments in Kandji


Endpoint Detection & Response (EDR)

Kandji’s security tools monitor devices for malware and suspicious behavior. Threats can be automatically quarantined, and admins have the option to allow or block software based on security needs.

  • Log and audit suspicious actions by device to identify and remove malware before it spreads.
  • Set security postures and automate security actions based on threat levels.
  • Maintain visibility into security risks across all devices.

Screenshot of endpoint detection & response in Kandji


USB & Storage Access Restrictions

Admins can control external device access, restricting USB drives, mounted volumes, and network shares. Need to require read-only access? Easy. Encryption can also be required to keep company data safe.

  • Prevent unauthorized data transfers.
  • Enforce encryption on external storage devices.
  • Set custom rules for different teams or departments.

Screenshot of USB & storage access restrictions in Kandji


Vulnerability Management

Kandji continuously checks for security risks, pulling from the National Vulnerability Database. Threats are ranked by severity, making it easy to decide whether to update, block, or accept the risk.

  • Identify and analyze security threats as soon as they appear.
  • Get clear recommendations on how to address risks, from updates to blocking and uninstalls.
  • Reduce device exposure to software vulnerabilities.

Screenshot of vulnerability management functions in Kandji

Kandji Resources & Support

We’ve worked hard to build a reputation as a leading support provider, and our team is staffed by Apple admins who know their stuff. Kandji help is available through live chat with experts, our detailed knowledge base, and a Slack community where users can connect and share insights.

 Q&A Summary

  • Q: What’s the minimum number of devices needed to purchase Kandji?
    • A: The current minimum plan is 25 devices.
  • Q: Is endpoint detection and protection included, or is it extra?
    • A: It’s an optional add-on. If you have an EDR tool today, you can continue to use it.
  • Q: If I’m using a different MDM solution already, can Kandji enhance our security and features?
    • A: Apple devices can only be enrolled in one MDM at a time. The old MDM profile would need to be removed first.
  • Q: Is Cursor AI planned for release as an Auto App?
    • A: Apps are queued up based on customer demand. If you're a Kandji customer and haven't already, submit a feature request for that auto-app in your Kandji tenant.
  • Q: How does manual enrollment work with blueprints? What do blueprints mean in the context of enrolling Mac or IOS?
    • A: Blueprints are composed of library items (any apps/scripts/configurations you want to apply to a device), and constantly enforce any configurations in that blueprint.
  • Q: What happens if I have an App that is not on your approved list?
  • Q: Do you have Jumpdesktop and Parallels as an App?
    • A: Our full list is here.
  • Q: How is Kandji different from competitors?
    • A: Kandji is built specifically for Apple, combining MDM with the Kandji Agent to deliver a seamless experience for both end users and IT administrators. Unlike other solutions, Kandji syncs device information in real time. It also streamlines app deployment with 200+ pre-packaged applications that can be installed with just two clicks, reducing the need for manual packaging and minimizing admin overhead. The Kandji admin console provides instant feedback on policy success or failure, making troubleshooting more efficient. Additionally, Kandji enables users to log in to their Mac with Entra ID credentials, ensuring password synchronization and enforcing MFA at login, a feature Intune does not support. With faster updates, easier app deployment, and deeper macOS integration, Kandji provides a superior Apple device management experience.
  • Q: I have a single unsigned app built for internal use, can I upload this to Kandji?
    • A: Absolutely, you can read more here.
  • Q: How does Kandji handle uninstalling apps?
    • A: The best practice for removing applications would be to write a custom script to take that action. This way you can decide if you want to remove the application, the application data, and/or the user data. 
  • Q: What features for "nested" management are out there for an MSP to manage different companies in a single instance?
    • A: Utilizing multiple Assignment Maps could be a great way to break up the management of devices into distinct areas. See our support article here.
  • Q: So every 15 minutes the entire device inventory is collected?
    • A: Different features check-in at various times. Please see our support article that outlines those differences.
  • Q: Will there be an option to retain the eSIM or delete it when wiped?
    • A: When sending the erase command to a device, we preserve the eSIM data. We are working to get this information added to the Admin portal.
  • Q: Do you have an integration between Kandji and Azure Sentinel for security and SIEM monitoring?
    • A: Kandji is actively working on support for sending information to SIEM tools. Today device information can be accessed through our Enterprise API endpoints. Details are available here.
  • Q: What does the Kandji support model look like (SLA, dedicated account manager, priority support)?
    • Kandji's support information is available here and our SLA is available here. All Kandji customers have access to Support Engineers via live chat.
  • Q: How can we integrate with MS Device Compliance (Conditional Access)?
    • A: We have an excellent Support Guide you can find here that will walk you through integrating Microsoft Device Compliance with Kandji.
  • Q: Does Kandji offer administrative units to limit administrative capabilities for specific administrators?
    • A: This question can be interpreted in different ways. If referring to Administrator Privileges on the Kandji tenant, you can reference these Support articles here and here. If referring to managing Administrator privileges for the end user on their Mac, you can reference support articles here and here. Also our Support portal can provide answers if the question is referring to other types of Administrator privileges.
  • Q: Can we migrate devices from Jumpcloud MDM?
    • A: Yes.
  • Q: In a lab environment, we often need to install the full Adobe Suit which can be as large as 30GB. What is your maximum file size push?
    • A: Per Adobe's guidelines we recommend deploying the Adobe Creative Cloud app and managing your deployment using their Admin portal. You can find the app conveniently available to you in our Auto Apps catalog. For Custom apps we have a 5GB file limit at this time.
  • Q: Does Kanji allow remote support?
    • A: At Kandji we believe that you should use the best tool for the job, and while we could integrate Remote Access functionality there are many excellent and dedicated solutions available to our customers that we've made available in the Auto Apps catalog. We can also provide the tools needed to manage permissions for these tools.
  • Q: Is Kandji able to manage system extensions easily?
  • Q: Do you have to add this to Apple Business Manager before it will populate into Kandji?
    • A: If you want to do zero-touch automated device enrollment, yes. You can always manually enroll devices that are not in Apple Business Manager.
  • Q: Can Kandji-enrolled devices be on a domain like the Azure boxes?
  • Q: Can you whitelist custom processes/applications so they're not flagged?
  • Q: Is multi-tenant capability available?
    • A: Not currently.
  • Q: Can trigger different enrollment menus with the enrollment codes?
    • A: Yes, each enrollment code is tied to a specific blueprint. You can create a blueprint per department, or have one blueprint for all devices to enroll into and use directory integration to scope within that blueprint (department, job title, etc).
  • Q: Will this impact resource performance since it is sending more data via the agent?
    • A: Performance impact is negligible, if at all. EDR is already built into the Kandji agent that was engineered from the ground up in Swift language. It's very lightweight.
  • Q: Do I need to have an Apple developer enterprise account to use Kandji?
    • A: No, Apple developer accounts are not required.
  • Q: Can I delay a major OS update more than 90 days?
    • A: 90 days is the maximum deferral allowed by Apple.. 
  • Q: Are ADE and APNs tokens 1-to-1 per Kandji instance, or can we host multiple clients in a single Kandji instance with multiple APNs certs?
  • Q: Do you have 2MFA at the login screen?
  • Q: Can you lock or wipe a device for offboarding?
    • A: Yes. You can initiate device actions for specific controls like locking, erasing, etc. This could include automated workflows where a device is automatically wiped during offboarding.
  • Q: Do you integrate with Manage Engine or Freshservice?
    • No direct native integrations today, but we're always looking for feature requests to best understand our customer's needs. You can find our list of existing integrations here.
  • Q: Does Kandji have future plans with Android and Linux?
    • A: Not currently, but we love to hear that feedback!
  • Q: Does Kandji have N-1 and N-2 options for app updates?
    • A: For app updates, if you want version control, consider custom apps so you can target a version that you want on a device.
    • A: If you want to leverage auto apps, you can push either the latest version or a minimum version.
  • Q: How can Kandji help clarify what actions to take when threats are detected?
    • A: The 'Detect' mode is ideal if you want visibility into what Kandji EDR is identifying as potential threats without automatically taking action. This allows you to assess detections and gain insight into what would be quarantined if 'Protect' were enabled. On the other hand, 'Protect' mode takes proactive action on your behalf, automatically quarantining anything identified as a threat to prevent potential harm. If you're uncertain about what might be detected and removed, starting in 'Detect' mode can provide a better understanding before enabling 'Protect' for full enforcement. Also, customers do have the ability to whitelist and recover files they don't want quarantined.
  • Q: How does Kandji handle BYOD across different GDPR jurisdictions?
    • A: Kandji is designed to align with GDPR requirements across different jurisdictions by prioritizing privacy, security, and user control. See more info under our Privacy article.
  • Q: Can computers be assigned to any BluePrint automatically?
    • Using Apple Automated Device Enrollment (ADE) Settings – Devices enrolled via ADE can be automatically assigned to a specific Blueprint/Assignment Map based on ADE settings configured in Kandji.
  • Q: Does Kandji provide compliance frameworks (CIS benchmarks, NIST, etc.)?
    • A: With our Assignment Map templates, CIS offers a great starting point to getting toward CIS Compliance. It's always best to still check with an auditor to ensure compliance policies are appropriately applied.
  • Q: Sometimes app providers release lots of updates, and they are not necessarily security related. Is there a workaround to not overwhelm employees with alerts?
    • A: Yes! Kandji offers flexibility in managing app updates to prevent overwhelming employees with frequent alerts. Delay Enforced Updates – You can configure update deferrals to allow employees more time before updates are enforced. Custom App Update Policies – You can choose when and how updates are applied, prioritizing security updates while delaying non-critical ones. Exclusions & Targeting – Apply update policies only to specific groups, ensuring critical teams aren’t disrupted unnecessarily.
  • Q: How does Kandji work with AV?
    • A: Kandji can help deploy your AV by utilizing our Custom App Library item. With our Assignment Map templates, CIS offers a great starting point to getting toward CIS Compliance. It's always best to still check with an Auditor to ensure compliance policies are appropriately applied.
  • Q: Is it possible to distribute unsigned packages?
    • A: No, Kandji requires all packages to be signed for security and integrity purposes. If you have an unsigned package, you will need to sign it before deploying it through Kandji. You can use Apple’s product sign command or other signing tools to properly sign the package before distribution. 
  • Q: What is the migration process like from another MDM? Does it require end user interaction?
    • A: We have a detailed blog on MDM migration here: Successful MDM Migration on Mac. Due to Apple's implementation of macOS/iOS enrollment, some user interaction is required. However, with the Kandji Migration Agent, we've minimized this to only the essential steps, making the transition as seamless as possible. 
  • Q: What if we have different parameter sets within an assignment map?
    • A: Each Assignment Map can have different parameters enabled to take on different actions.
  • Q: Will you help an organization onboard existing devices into Apple Business Manager if needed for further control.
    • A: This can only be done by either the vendor you purchased the Macs from or by using the Apple Configurator application yourself. More details can be found here: Apple Support Guide.
  • Q: Does Kandji have any features planned for web filtering?
    • A: Keep an eye out here.

What’s Next

Kandji Demo Day runs monthly, with each session diving deep into a specific feature—from identity-based login to vulnerability management and beyond.

Want to keep exploring?

We’ll also share a blog recap after each session—subscribe or check back regularly to stay in the loop.