Introduction
This document describes how to integrate a Kandji MDM environment with a Beyond Identity tenant, create an authentication policy based on the device being managed or unmanaged, and test the authentication policy.
Available on: macOS
Contents
- Integrate Kandji with Beyond Identity – Kandji Configuration
- Integrate Kandji with Beyond Identity – Beyond Identity Configuration
- Configure the MDM Authentication Policy
- Test the MDM Authentication Policy
- Appendix A: Getting started with Kandji Setup
- Appendix B: Notes
Integrate Kandji with Beyond Identity – Kandji Configuration
API Availability
The Kandji API is automatically available to customers Plan 500 or higher, but it is not enabled on new or existing instances by default. Contact support to enable API access for your instance.
API access is available as an add-on for customers below Plan 500. See pricing page for plan details.
API Rate Limit
The Kandji API currently has an API rate limit of 10,000 requests per hour per tenant.
Generate an API Token
Kandji uses instance-level bearer tokens to control access to the API To generate one:
-
Log into Kandji and click on Settings > Access tab.
-
Scroll down and click the Add API Token button to create a new API key.
-
After clicking Add API Token, provide a Name and a Description for your API token.
- Click Create.
-
Kandji will display a modal with the API token. Click the visibility symbol to expose it or use the Copy Token button to copy the API token to your clipboard, storing it in a safe place.
Note: You will not be able to see the token details again.
-
Click Next.
-
Click Configure to manage the API permissions for this specific token. Assign all Read permissions for Devices. (i. e. Select API GET operations for Devices).
-
After making your modifications, click Save.
-
Once you create your first token, you will see your instance-specific API URL.
Integrate Kandji with Beyond Identity – Beyond Identity Configuration
- Login to the Beyond Identity Admin console.
- Go to Integrations > Endpoint Management > Kandji.
- Click the download icon to the right of Kandji.
- Enter the following information obtained from Kanji Admin UI.
- Host URL:
This should only include the API base URL.
e.g. https://example.clients.us-1.kandji.io
DO NOT include /api/v1 at the end of this URL.
- API Token
- Host URL:
- Click Save Changes.
If there is any error in the URL and/or the API Token Permissions, you may see an “input_invalid” error. Make sure to use the base URL only and GET operation permissions for the API token.
Configure the MDM Authentication Policy in Beyond Identity
- Log into the Beyond Identity Admin console.
- Navigate to Policy >Edit Policy > Add Rule.
- Create a rule to Deny authentication if the macOS device is not MDM Enabled.
-
- Under For any transaction, select Authentication.
- Under If device platform is, select macOS.
- Under If integration is, select Kandji > API is > available.
- Under If integration is, click Add attribute and add this attribute under AND:
Kandji > Device is managed > is > False - Under Then, select Deny.
- (Optional) Add a custom error message under Customize notification.
-
- Click Add.
- On the Edit Policy page, click Publish changes to publish the rules.
Test the MDM Authentication Policy
- Verify the macOS policy:
- Log into the Beyond Identity Admin console first from a macOS computer that is enrolled in Kandji MDM and then from a macOS computer that is not enrolled in Kandji.
- Confirm that the policy behavior is as expected.
- Check the Events tab to ensure that the correct rule is triggered.
Appendix A: Getting started with Kandji Setup
Configure Apple Push Notification service (APNs)
Mobile device management (MDM) is a framework that allows devices to be secured and controlled, and to have policies enforced, remotely. MDM relies on the APNs to communicate with Apple devices. You must create a new APNs certificate before enrolling any devices.
- In the left-hand navigation bar, click Settings.
- Select the Apple Integrations tab.
-
Under Apple Push Notifications service (APNs), click Configure APNs.
- Follow the on-screen instructions to create a new APNs certificate.
Do not attempt to use an existing APNs certificate. Use an Apple ID linked to your business email address. If you have an Apple Business Manager account or Apple School Manager account, we recommend creating a new Managed Apple ID in ABM or ASM named APNS@YourDomain.com. Refer to these articles to learn how to set up Managed Apple IDs for Apple Business Manager and Apple School Manager.
APNs certificates automatically expire annually, so you will need to renew your Kandji APNs certificate each year. Kandji will alert you when the certificate should be renewed.
Configure Automated Device Enrollment
Automated Device Enrollment allows devices to enroll automatically into Kandji when they are first powered on and set up. Once enrolled, devices will receive settings and apps configured within Kandji.
To use Automated Device Enrollment, you must be enrolled in Apple Business Manager. There is no cost to enroll, but it may take several days to complete the process if you have not done so already.
If you already have Apple Business Manager set up and are migrating from a previous MDM, add Kandji as a new MDM server in Apple Business Manager and reassign devices to Kandji. Users with existing devices will not notice this change—it is only apparent when configuring a new device.
After you assign devices to Kandji in Apple Business Manager, they will appear in the Kandji web app in the Devices module under Automated Device Enrollment and the device name listed as Awaiting Enrollment. This does not mean devices are enrolled in Kandji; enrollment occurs during the new-device setup process.
Steps to configure Automated Device Enrollment
- In the left-hand navigation bar, click Settings.
- Select the Apple Integrations tab.
-
Under Automated Device Enrollment, click Configure.
-
Follow the on-screen instructions to set up Automated Device Enrollment.
Configure Apps & Books
Apps and Books allows you to get free and paid apps from Apple's App Store and distribute them to devices using Kandji. This is different from Auto Apps or Custom Apps in Kandji.
To use Apps and Books, you will need to be enrolled in Apple Business Manager. To configure Apps and Books:
- Navigate to Settings in the left-hand navigation bar.
- Select the Apple Integrations tab.
-
Under Apps and Books, click Configure.
- Follow the on-screen instructions to set up Apps and Books. For detailed instructions, see this article.
-
Click Complete Apps and Books setup.
Configure User Directory Integration
Connect your organization's Azure Active Directory, Google Workspace, or configure a SCIM integration with a service such as Okta to sync users and identify which device belongs to which user. Kandji makes it simple to assign users to devices. It is not required but helps for inventory purposes. Users will appear in Kandji under Users. For additional information, see this article.
Add Additional Administrators
Having more than one administrator helps in the event you are locked out of your account. To add additional administrators:
- Click Settings in the left-hand navigation bar.
- Select the Access tab.
- Click New User on the top right.
-
Fill in the required fields and choose an appropriate access level for the new team member.
Invitations expire after 24 hours. If 24 hours pass before the account is created, an existing administrator or account owner must resend the invitation from the Access tab under Settings.
Appendix B: Notes
- Kandji only supports macOS and iOS operating systems.
- Beyond Identity supports macOS only.
- Beyond Identity uses serial number of device to perform a real-time lookup against Kandji’s API when making policy decisions and evaluating BI policy attributes
Comments
0 comments
Please sign in to leave a comment.