Kandji Beyond Identity Integration Guide

Introduction

This document describes how to integrate a Kandji environment with a Beyond Identity tenant, create an authentication policy based on the device being managed or unmanaged and test the authentication policy. 

 

Note: As of 21st July 2022 the integration is only available for macOS. We will update this guide when the iOS integration becomes available.

Step 1: Integrate Kandji with Beyond Identity – Kandji Configuration

API Availability

The Kandji API is automatically available to customers Plan 500 or higher, but it is not enabled on new or existing instances by default. Contact support to enable API access for your instance. 

API access is available as an add-on for customers below Plan 500. See pricing page for plan details. 

API Rate Limit

The Kandji API currently has an API rate limit of 10,000 requests per hour per tenant. 

Generate an API Token

Kandji uses instance-level bearer tokens to control access to the API To generate one: 

1. Log in and click on Settings.
2. Click the Access tab. 
3. Click the Add API Token button to create a new API key. 
   
   
   
   
   
   
4. After clicking Add API Token, provide a Name and a Description for your API token.
5. Click Create. 
   
   
6. Kandji will display a modal with the API token. Click the visibility symbol to expose it or use the Copy Token button to copy the API token to your clipboard, storing it in a safe place. Note: You will not be able to see the token details again.
7. Click Next.
   
   
8. Click Configure to manage the API permissions for this specific token. Assign all Read permissions for Devices. (i. e.  Select API GET operations for Devices).
   
   
9. After making your modifications, click Save.
   
   
   
   
10. Once you create your first token, you will see your instance-specific API URL.
    
    

 

Step 2: Integrate Kandji with Beyond Identity – Beyond Identity Configuration

1. Login to Beyond Identity Admin Console

 

2. Go to Integrations > END POINT MANAGEMENT > Kandji

 

 

3. Click Install this service next to Kandji

 

4. Enter the following information obtained from Kanji Admin UI.
   1. Host URL:

This should only include the API base URL. 

e.g. https://example.clients.us-1.kandji.io

DO NOT include /api/v1 at the end of this URL.

2. API Token:

 

5. Click “Save Changes”

If there is any error in the URL and/or the API Token Permissions, you may see an “input_invalid” error. Make sure to use the base URL only and GET operation permissions for the API token.

Step 3: Configure MDM Authentication Policy

1. Click another rule for iOS and publish it. (Please use this only after theLogin to Beyond Identity Admin Console

 

2. Go to Policy > Add Rule
   1. Create a rule to Deny authentication if the device is not MDM Enabled.
      1. Applies to Authentication
      2. Applies to macOS
      3. Checks if Kandji connection is available
      4. Checks if the device is not MDM enabled.
      5. Denies authentication
      6. Shows a custom error message

 

3. Click Add and then publish the rule.

 

4.  iOS integration becomes available.)

 

Step 4: Test MDM Authentication Policy

1. Login to Beyond Identity Admin Console first from a mac computer that is enrolled in Kandji Pro and then from a mac computer that is not enrolled in Kandji.

 

2. Confirm that the policy behavior is as expected.

 

3. Check the Events tab to ensure that the correct rule is triggered.

 

 

Appendix A: Getting started with Kandji Setup

Configure Apple Push Notification service (APNs)

Mobile device management (MDM) is a framework that allows devices to be secured and controlled, and to have policies enforced, remotely. MDM relies on the APNs to communicate with Apple devices. You must create a new APNs certificate before enrolling any devices.

1. In the left-hand navigation bar, click Settings.
2. Select the Apple Integrations tab.
3. Under Apple Push Notifications service (APNs), click Configure APNs.
   
   
4. Follow the on-screen instructions to create a new APNs certificate.

Do not attempt to use an existing APNs certificate. Use an Apple ID linked to your business email address. If you have an Apple Business Manager account or Apple School Manager account, we recommend creating a new Managed Apple ID in ABM or ASM named APNS@YourDomain.com. Refer to these articles to learn how to set up Managed Apple IDs for Apple Business Manager and Apple School Manager.

APNs certificates automatically expire annually, so you will need to renew your Kandji APNs certificate each year. Kandji will alert you when the certificate should be renewed.

Configure Automated Device Enrollment

Automated Device Enrollment allows devices to enroll automatically into Kandji when they are first powered on and set up. Once enrolled, devices will receive settings and apps configured within Kandji. 

 

To use Automated Device Enrollment, you must be enrolled in Apple Business Manager. There is no cost to enroll, but it may take several days to complete the process if you have not done so already.

If you already have Apple Business Manager set up and are migrating from a previous MDM, add Kandji as a new MDM server in Apple Business Manager and reassign devices to Kandji. Users with existing devices will not notice this change—it is only apparent when configuring a new device.

After you assign devices to Kandji in Apple Business Manager, they will appear in the Kandji web app in the Devices module under Automated Device Enrollment and the device name listed as Awaiting Enrollment. This does not mean devices are enrolled in Kandji; enrollment occurs during the new-device setup process.

Steps to configure Automated Device Enrollment 

1. In the left-hand navigation bar, click Settings.
2. Select the Apple Integrations tab.
3. Under Automated Device Enrollment, click  Configure.
   
   
4. Follow the on-screen instructions to set up Automated Device Enrollment.
   
   

Configure Apps & Books

Apps and Books allows you to get free and paid apps from Apple's App Store and distribute them to devices using Kandji. This is different from Auto Apps or Custom Apps in Kandji. 

To use Apps and Books, you will need to be enrolled in Apple Business Manager. To configure Apps and Books:

1. Navigate to Settings in the left-hand navigation bar.
2. Select the Apple Integrations tab.
3. Under Apps and Books, click Configure.
   
   
4. Follow the on-screen instructions to set up Apps and Books. For detailed instructions, see this article.
5. Click Complete Apps and Books setup.
   
   
   
   

Configure User Directory Integration

Connect your organization's Azure Active Directory, Google Workspace, or configure a SCIM integration with a service such as Okta to sync users and identify which device belongs to which user. Kandji makes it simple to assign users to devices. It is not required but helps for inventory purposes. Users will appear in Kandji under Users. For additional information, see this article.

Add Additional Administrators

Having more than one administrator helps in the event you are locked out of your account. To add additional administrators:

1. Click Settings in the left-hand navigation bar.
2. Select the Access tab.
3. Click New User on the top right.
4. Fill in the required fields and choose an appropriate access level for the new team member.
   
   

Invitations expire after 24 hours. If 24 hours pass before the account is created, an existing administrator or account owner must resend the invitation from the Access tab under Settings.

 

Appendix B: Notes

 

• Kandji only supports macOS and iOS operating systems.
• BI supports macOS and iOS (iOS is not released yet).
  • BI uses serial number of device to perform a real time lookup against Kandji’s API when making policy decisions and evaluating BI policy attributes
  • iOS - in order to leverage integration, the authenticator app needs to be pushed to iOS devices via Kandji along with appconfig