Understand which Parameters are being transitioned to Library items and what action is required by Kandji administrators.
Why are these Parameters being transitioned?
With macOS Big Sur, Apple has introduced security improvements that require profiles to be installed by a user through System Preferences, or by the MDM server the device is enrolled into. This change improves security and prevents privileged processes from installing configuration profiles silently.
For a minority of Parameters, the Kandji Agent installs configuration profiles to apply and enforce settings. In order to support the changes in macOS Big Sur, we have transitioned these Parameters to new Library items where the configuration profile portions of the control are installed via MDM.
Additionally, for some of these new Library items such as FileVault and Firewall, the agent logic has been improved to work alongside profiles when these library items are configured and continue to enforce settings beyond what configuration profiles can currently achieve. Examples include regenerating FileVault Recovery Keys for previously encrypted macOS devices, setting extended logging options for the macOS Firewall, or re-enabling the Firewall if manually disabled by a local administrator.
What to expect
Learn what to expect when devices upgrade to macOS Big Sur.
For your devices that are already enrolled into Kandji and upgrade to macOS Big Sur:
The profiles installed by the Kandji Agent will not be removed until you disable the Parameter as part of migrating to the new Library item equivalent. However, remediations will fail on macOS Big Sur if the profile is removed as the Kandji Agent will not be able to reinstall the profile via the Parameter.
For devices running Big Sur that are enrolled into Kandji:
The Kandji Agent will report these Parameters that install configuration profiles as Incompatible and will not install the configuration profile.
If you are currently using any of the Parameters listed below and want to enforce these controls on macOS Big Sur, you will need to migrate to the new Library item equivalent of the Parameter.
Even if you have not transitioned your environment to Big Sur yet, we recommend migrating as soon as possible, as the Library items will work for both macOS Big Sur and previous versions of macOS. You are not required to enable both the Parameter and Library item to support multiple macOS versions in a single blueprint.
How to migrate
Migrating to Library item Parameter equivalents is straightforward in most cases, as macOS can usually have multiple of the same configuration profile installed at a time (although there are exceptions).
To migrate, simply add the new Library item to your Library and match the settings you have configured with Parameters in your Blueprints. Once you have these settings matched, assign the Library item to the Blueprint. Once you have confirmed that the Library item has successfully deployed to the bulk of your devices, you can disable the Parameter.
Special consideration for migrating to the FileVault Library item
When migrating to the new FileVault Library item, special consideration needs to be made, as macOS can only have one FileVault Escrow profile installed at a time.
- You will need to first disable both FileVault Parameters, and wait roughly 15-30 minutes for the majority of your devices to check-in and for the Kandji Agent to uninstall the manually installed configuration profiles.
- After this, you will assign your new FileVault Library item to the Blueprint being migrated. No end-user interaction/disturbance will occur as long as a FileVault key was previously escrowed.
- Disabling the legacy FileVault Parameter(s) will NOT delete any currently escrowed FileVault Recovery Keys.
In the event that a device is not online for the Kandji Agent to uninstall the manually installed FileVault profiles prior to deploying the new Library item, you may see the new Library item initially fail to install due to macOS only allowing one of these profile types at a time. This error will self-correct at the next daily MDM check-in if the Kandji Agent has since removed the manually installed profile.
To initiate this remediation process manually, you can run the following commands locally.
This command will force a check-in and will remove the FileVault profile (if the Parameter has been disabled).
sudo kandji run
This command will force daily MDM check-in commands to run, triggering an install of the new FileVault Library item.
sudo kandji update-mdm
Understand which Parameters are being transitioned and which Library items you should leverage to replace them. Many of these new Library items have additional new benefits, such as rotating the FileVault Key automatically.
|Parameter||Library Item Replacement||Library Item Option|
|Enable FileVault 2||FileVault||
|Escrow FileVault Recovery Keys to Kandji||FileVault||
Escrow recovery keys to Kandji
|Manage Screen Saver||Screen Saver||Configure Screen Saver for Login Window, Configure Screen Saver for users|
|Restrict App Store app installs and software updates to admin users||Software Update||Restrict software updates to admins|
|Disable Beta Updates||Software Update||
Disallow install of macOS beta releases
|Automatically check for updates||Software Update||
Check for updates
|Automatically download and install security updates||Software Update||
Install system data files and security updates
|Download macOS and App Store app updates in the background||Software Update||
Download new updates when available
|Automatically install macOS updates||Software Update||
Install available macOS updates automatically
|Automatically install App Store updates||Software Update||
Install App Store app updates
|Delay software update availability||Software Update||Defer Software Updates|
|Disable software update notifications||App Store||
Disable software update notifications
|Restrict App Store to software updates only||App Store||Block Mac App Store|
|Manage media access||Media Access||Manage Media Access|
|Disconnect all media at logout||Media Access||Disconnect all media at logout|
|Manage disc burning||Media Access||
Manage disc burning
|Display login window as name and password||Login Window||Manage user visibility|
|Disable and remove password hints||Login Window||Manage password hints|
|Disable fast user switching menu||Login Window||Disable the fast user switching menu|
|Enforce a custom message for the lock screen||Login Window||Set Lock Message|
|Log out inactive users||Login Window||Automatically log out inactive users|
Allow apps downloaded from
|Disallow users from overriding Gatekeeper settings||Gatekeeper||Disallow users from overriding Gatekeeper Settings|
|Ensure Firewall is configured to log||Firewall||Ensure Firewall is configured to log|
|Enable stealth mode||Firewall||
|Block all incoming connections||Firewall||
Block All Incoming Connections
|Block built-in apps from receiving incoming connections||Firewall||The "Automatically allow signed downloaded software" and "Automatically allow built-in software" options aren't supported, but both are forced ON when this payload is present.|
|Block downloaded apps from receiving incoming connections||Firewall||
The "Automatically allow signed downloaded software" and "Automatically allow built-in software" options aren't supported, but both are forced ON when this payload is present.
|Enable detailed firewall logging||Firewall||
Ensure detailed firewall logging
|Disable waking for network access||Energy Saver||
Wake for network access
|Disable sleeping when connected to power||Energy Saver||Disable sleep|
|Disallow unlock with Apple Watch||Restrictions||Disallow using Apple Watch for device unlock|
|Disallow unlock with Touch ID||Restrictions||Disallow using Face ID / Touch ID for device unlock|
|Disallow sending diagnostic and usage data to Apple||Restrictions||Disallow sending diagnostics and usage data to Apple|
|Disable Content Caching||Restrictions||Disallow use of Content Caching service|
|Disallow AirDrop||Restrictions||Disallow AirDrop|
|Disallow password sharing via AirDrop Passwords||Restrictions||Disallow Password Sharing|
|Disable Camera||Restrictions||Disallow use of camera|
|Disable Safari AutoFill||Restrictions||Disallow Safari AutoFill|
|Disallow Safari Password AutoFill||Restrictions||Disallow AutoFill Passwords|
|Disallow Game Center||Restrictions||Disallow use of Game Center|
|Disallow iCloud Desktop & Documents Sync||Restrictions||Disallow iCloud Desktop & Documents|
|Disallow iCloud Drive||Restrictions||Disallow iCloud Drive|
|Disallow iCloud Photos||Restrictions||Disallow iCloud Photo Library|
|Disallow iCloud Mail||Restrictions||Disallow iCloud Mail|
|Disallow iCloud Contacts||Restrictions||Disallow iCloud Address Book|
|Disallow iCloud Calendar||Restrictions||Disallow iCloud Calendar|
|Disallow iCloud Reminders||Restrictions||Disallow iCloud Reminders|
|Disallow iCloud Bookmarks||Restrictions||Disallow iCloud Bookmarks|
|Disallow iCloud Notes||Restrictions||Disallow iCloud Notes|
|Disallow iCloud Keychain Sync||Restrictions||Disallow iCloud Keychain|
|Disallow password proximity requests||Restrictions||Disallow proximity based password sharing requests|
|Lock screen after Screen Saver or sleep begins||Passcode||Require Passcode After Sleep or Screen Saver Begins|
|Disallow simple passwords||Passcode||Disallow Simple Passcode|
|Maximum failed login attempts||Passcode||Maximum Failed Attempts Before Account Lockout|
|Account lockout duration||Passcode||Account Lockout Duration|
|Minimum number of complex characters||Passcode||Minimum Complex Characters|
|Minimum password length||Passcode||Minimum Passcode Length|
|Require alphanumeric password||Passcode||Require Alphanumeric Passcode|
|Maximum allowed password age||Passcode||Maximum Passcode Age|
|Password history||Passcode||Passcode History|
|Force user to reset password at next authentication||Passcode||Force Password Reset|