Parameter Transition

Understand which Parameters are being transitioned to Library items and what action is required by Kandji administrators.

Why are these Parameters being transitioned?

With macOS Big Sur, Apple has introduced security improvements that require profiles to be installed by a user through System Preferences, or by the MDM server the device is enrolled into. This change improves security and prevents privileged processes from installing configuration profiles silently.

For a minority of Parameters, the Kandji Agent installs configuration profiles to apply and enforce settings. In order to support the changes in macOS Big Sur, we have transitioned these Parameters to new Library items where the configuration profile portions of the control are installed via MDM. 

Additionally, for some of these new Library items such as FileVault and Firewall, the agent logic has been improved to work alongside profiles when these library items are configured and continue to enforce settings beyond what configuration profiles can currently achieve. Examples include regenerating FileVault Recovery Keys for previously encrypted macOS devices, setting extended logging options for the macOS Firewall, or re-enabling the Firewall if manually disabled by a local administrator.

What to expect

Learn what to expect when devices upgrade to macOS Big Sur.

For your devices that are already enrolled into Kandji and upgrade to macOS Big Sur

The profiles installed by the Kandji Agent will not be removed until you disable the Parameter as part of migrating to the new Library item equivalent. However, remediations will fail on macOS Big Sur if the profile is removed as the Kandji Agent will not be able to reinstall the profile via the Parameter. 

For devices running Big Sur that are enrolled into Kandji
The Kandji Agent will report these Parameters that install configuration profiles as Incompatible and will not install the configuration profile.

Action required

If you are currently using any of the Parameters listed below and want to enforce these controls on macOS Big Sur, you will need to migrate to the new Library item equivalent of the Parameter. 

Even if you have not transitioned your environment to Big Sur yet, we recommend migrating as soon as possible, as the Library items will work for both macOS Big Sur and previous versions of macOS. You are not required to enable both the Parameter and Library item to support multiple macOS versions in a single blueprint.

How to migrate

Migrating to Library item Parameter equivalents is straightforward in most cases, as macOS can usually have multiple of the same configuration profile installed at a time (although there are exceptions). 

To migrate, simply add the new Library item to your Library and match the settings you have configured with Parameters in your Blueprints. Once you have these settings matched, assign the Library item to the Blueprint. Once you have confirmed that the Library item has successfully deployed to the bulk of your devices, you can disable the Parameter. 

Special consideration for migrating to the FileVault Library item

When migrating to the new FileVault Library item, special consideration needs to be made, as macOS can only have one FileVault Escrow profile installed at a time. 

  1. You will need to first disable both FileVault Parameters, and wait roughly 15-30 minutes for the majority of your devices to check-in and for the Kandji Agent to uninstall the manually installed configuration profiles. 
  2. After this, you will assign your new FileVault Library item to the Blueprint being migrated. No end-user interaction/disturbance will occur as long as a FileVault key was previously escrowed. 
  3. Disabling the legacy FileVault Parameter(s) will NOT delete any currently escrowed FileVault Recovery Keys.

In the event that a device is not online for the Kandji Agent to uninstall the manually installed FileVault profiles prior to deploying the new Library item, you may see the new Library item initially fail to install due to macOS only allowing one of these profile types at a time. This error will self-correct at the next daily MDM check-in if the Kandji Agent has since removed the manually installed profile.

To initiate this remediation process manually, you can run the following commands locally. 

This command will force a check-in and will remove the FileVault profile (if the Parameter has been disabled).

sudo kandji run 

This command will force daily MDM check-in commands to run, triggering an install of the new FileVault Library item. 

sudo kandji update-mdm

Transitioned Parameters

Understand which Parameters are being transitioned and which Library items you should leverage to replace them. Many of these new Library items have additional new benefits, such as rotating the FileVault Key automatically.

Parameter Library Item Replacement  Library Item Option
Enable FileVault 2 FileVault
FileVault enforcement
Escrow FileVault Recovery Keys to Kandji FileVault
Escrow recovery keys to Kandji
- -
 -
Manage Screen Saver Screen Saver Configure Screen Saver for Login Window, Configure Screen Saver for users
Restrict App Store app installs and software updates to admin users Software Update Restrict software updates to admins
Disable Beta Updates Software Update
Disallow install of macOS beta releases
Automatically check for updates Software Update
Check for updates
Automatically download and install security updates Software Update
Install system data files and security updates
Download macOS and App Store app updates in the background Software Update
Download new updates when available
Automatically install macOS updates Software Update

Install available macOS updates automatically

Automatically install App Store updates Software Update
Install App Store app updates
Delay software update availability Software Update Defer Software Updates
- -
Disable software update notifications App Store
Disable software update notifications
Restrict App Store to software updates only App Store Block Mac App Store
- - -
Manage media access Media Access Manage Media Access
Disconnect all media at logout Media Access Disconnect all media at logout
Manage disc burning Media Access
Manage disc burning
- -
Display login window as name and password Login Window Manage user visibility
Disable and remove password hints Login Window Manage password hints
Disable fast user switching menu Login Window Disable the fast user switching menu
Enforce a custom message for the lock screen Login Window Set Lock Message
Log out inactive users Login Window Automatically log out inactive users
- - -
Manage Gatekeeper Gatekeeper
Allow apps downloaded from
Disallow users from overriding Gatekeeper settings Gatekeeper Disallow users from overriding Gatekeeper Settings
- - -
Ensure Firewall is configured to log Firewall Ensure Firewall is configured to log
Enable Firewall Firewall
Firewall Status
Enable stealth mode Firewall
Stealth Mode
Block all incoming connections Firewall
Block All Incoming Connections
Block built-in apps from receiving incoming connections Firewall The "Automatically allow signed downloaded software" and "Automatically allow built-in software" options aren't supported, but both are forced ON when this payload is present.
Block downloaded apps from receiving incoming connections Firewall

The "Automatically allow signed downloaded software" and "Automatically allow built-in software" options aren't supported, but both are forced ON when this payload is present.

Enable detailed firewall logging Firewall
Ensure detailed firewall logging
     
Disable waking for network access Energy Saver
Wake for network access
Disable sleeping when connected to power Energy Saver Disable sleep
- - -
Disallow unlock with Apple Watch Restrictions Disallow using Apple Watch for device unlock
Disallow unlock with Touch ID Restrictions Disallow using Face ID / Touch ID for device unlock
Disallow sending diagnostic and usage data to Apple Restrictions Disallow sending diagnostics and usage data to Apple
Disable Content Caching Restrictions Disallow use of Content Caching service
Disallow AirDrop Restrictions Disallow AirDrop
Disallow password sharing via AirDrop Passwords Restrictions Disallow Password Sharing
Disable Camera Restrictions Disallow use of camera
Disable Safari AutoFill Restrictions Disallow Safari AutoFill
Disallow Safari Password AutoFill Restrictions Disallow AutoFill Passwords
Disallow Game Center Restrictions Disallow use of Game Center
Disallow iCloud Desktop & Documents Sync Restrictions Disallow iCloud Desktop & Documents
Disallow iCloud Drive Restrictions Disallow iCloud Drive
Disallow iCloud Photos Restrictions Disallow iCloud Photo Library
Disallow iCloud Mail Restrictions Disallow iCloud Mail
Disallow iCloud Contacts Restrictions Disallow iCloud Address Book
Disallow iCloud Calendar Restrictions Disallow iCloud Calendar
Disallow iCloud Reminders Restrictions Disallow iCloud Reminders
Disallow iCloud Bookmarks Restrictions Disallow iCloud Bookmarks
Disallow iCloud Notes Restrictions Disallow iCloud Notes
Disallow iCloud Keychain Sync Restrictions Disallow iCloud Keychain
Disallow password proximity requests Restrictions Disallow proximity based password sharing requests
- - -
Lock screen after Screen Saver or sleep begins Passcode Require Passcode After Sleep or Screen Saver Begins
Disallow simple passwords Passcode Disallow Simple Passcode
Maximum failed login attempts Passcode Maximum Failed Attempts Before Account Lockout
Account lockout duration Passcode Account Lockout Duration
Minimum number of complex characters Passcode Minimum Complex Characters
Minimum password length Passcode Minimum Passcode Length
Require alphanumeric password Passcode Require Alphanumeric Passcode
Maximum allowed password age Passcode Maximum Passcode Age
Password history Passcode Passcode History
Force user to reset password at next authentication Passcode Force Password Reset