Using Kandji

Kandji allows you to do a managed device deployment with a Kandji blueprint. Kandji (or any MDM) eliminates manual steps on Mac to trust the Certificate and accept permissions for our system extension.

There are two primary components:

  1. MDM Profile: this is the config profile that contains the certificate, extension, VPN, and privacy permission to ensure the user will never see a pop-up. Otherwise, there will be manual interaction for accepting/authorizing the installation (due to Apple security policies)

  2. Custom App Deployment: this is where you upload the full zip to Kandji to deploy to your devices - same steps as any managed deployment (upload the install zip as-is). Once distributed, Kandji will run the installer

1. Upload the MobileConfig File

You can retrieve the MDM profile's XML here and directly upload it to JAMF. This will contain all requisite permissions at once, including:

  1. Root Certificate - for trusting the on-device SSL inspection

  2. Network Extension Permission - for re-routing traffic to the on-device proxy

  3. VPN Permission - for re-routing traffic to the on-device proxy

  4. Privacy Preferences Permission - for anti-tampering

You will need to add the XML to a .mobileconfig file, and upload it to Kandji as show below.

2. Deploy profile to devices

Add the custom profile to the blueprints you are going to install the endpoint on. We always recommend to deploy the profile prior to installing the software to ensure there are no user pop-ups.

3. Upload the application pkg zip

Add a new custom app into your library with the Mac package downloaded from your dope.console:

You can add the Blueprints that the application will be deployed to here, and select either:

  • Install once per device: This option will install the software only

  • Audit & Enforce: This will use a script to ensure the software remains installed (best practice, although the software is built to prevent removal)

After the library item has been setup, you will be able to deploy this to all of your devices quickly. You may opt to do a small test deployment, but we have seen admins deploy thousands of healthy installs in minutes.

Last updated