The Kandji team is introducing a new SSO Extension Profile (including built-in support for the Kerberos extension), as well as alerts for removed MDM profiles, the ability to remotely update Auto Admin passwords for supervised devices, the ability to use Global Profile Variables in AppConfig, and new Auto Apps: Google Chat, Front App, Visual Studio Code.
In case you missed it, last month we released the System Extensions Profile, AppConfig, and more.
Single Sign-On (SSO) Extension Profile
Apple’s new Extensible Enterprise SSO capabilities, introduced for iOS 13, iPadOS, and macOS Catalina, were designed to streamline the login experience with third-party identity management providers (IdPs). While IdPs work well in web browsers, they present some challenges with Mac apps and password synchronization for local macOS accounts.
Kandji’s new SSO Extension Profile will allow admins to take advantage of these powerful new SSO features and ensure your users can maintain an uninterrupted workflow in your workplace.
There are two types of SSO extensions: Credential and Redirect. See here in our SSO guide for more information on each type.
Our development team took a unique approach to this profile by taking the manual work out of creating a Kerberos extension, a first-party Credential extension created by Apple to replace Enterprise Connect. If you select the Kerberos extension, Kandji provides a friendly UI to fill in all the Kerberos keys and options (so you don’t have to create and upload a plist file). You can see a sample of what this looks like below.
A note on Redirect extensions, which are used for modern authentication methods, such as OpenID Connect, OAuth, and SAML2: Although Kandji fully supports this framework, identity providers are still in the process of building support for it. We always ask our customers to encourage their identity providers to support this in order to unlock this modern approach to SSO.
To learn how to take advantage of this new profile, read our SSO Extension Profile support article.
Alert for Removed MDM Profile
If a device is added to Kandji via the enrollment portal (Device Enrollment) instead of through Apple Business Manager (Automated Device Enrollment, formerly DEP) it is unlikely, but possible, for savvy end users who are local administrators to remove the MDM profile. This is an inherent limitation of this method of enrollment and why we always recommend, when possible, to enroll devices through Apple Business Manager (formerly DEP).
However, to ensure admins have the most possible control and visibility in cases where devices are enrolled through the enrollment portal and not through Apple Business Manager, Kandji now provides an alert to admins if one of your end users does remove that MDM profile so that action can be taken to re-enroll the device.
Remotely Update Auto Admin Password for Supervised Devices
For devices enrolled through Apple Business Manager (Automated Device Enrollment, formerly DEP), you also now have the option to reset the auto admin password. Read our support article to learn more about this new feature.
Note: This does not apply to or change any passwords for other local admin accounts. It only updates the password for the Auto Admin that is created when a device is added to Apple Business Manager.
Global Profile Variables in AppConfig
Last month we launched AppConfig, an MDM-agnostic way for admins to customize app settings and giving users the best out-of-the-box app experience as possible, for App Store Apps (Apps and Books from Apple Business Manager). As of today, Kandji admins can also use Global Profile Variables such as User Email, Device Name, or Asset Tag in your AppConfig dictionaries.
More Auto Apps
We are excited to continue to grow our Auto App library based on customer feedback. Last month we released VirtualBox, Spotify, Grammarly, and Plantronics Hub.
Today, we are announcing three new Auto Apps: Front App, Google Chat, and Visual Studio Code.
You can see our complete list of Auto Apps here.
With innovation and iteration at the core of everything we do, we’re constantly building solutions to give you more of what you need and improve upon features you already love. With Kandji, you can be confident that your Apple fleet is in safe and secure hands from deployment to retirement.