Using Kandji on Enterprise Networks

Learn which hosts and ports are required to manage your Apple devices with Kandji.

Overview

Some organizations may create Enrollment Only networks, or put Proxies in place to limit access to the public internet. In these situations, it is important to ensure that your Apple devices can communicate with Apple's networks and Kandji to complete enrollment and management tasks. 

Required Ports

Hosts Ports Protocol OS Description
kandji-prd.s3.amazonaws.com 443 TCP macOS Used by macOS devices to download the Kandji Agent & Custom Apps uploaded to your Kandji Instance.
kandji-prd-managed-library-items.s3.amazonaws.com 443 TCP macOS Used by macOS devices to download Auto Apps. 
UUID.web-api.kandji.io 443 TCP All

Used to communicate with Kandji via the MDM protocol, and by the Kandji Agent.
Host is unique per Kandji instance.

 

Note that the UUID preceding .web-api.kandji.io is unique to every Kandji instance. To find your company's unique URL run the below command in terminal on a macOS device enrolled in your Kandji instance, or contact Kandji Support.

Determine your organizations unique URL

Your Kandji UUID is a unique prefix that your devices use to communicate with Kandji.

Run the following terminal command on a macOS device enrolled in your Kandji instance to determine your organization's unique URL.

system_profiler SPConfigurationProfileDataType | grep CheckInURL | awk -v FS='(https://|/mdm)' '{print $2}'

Learn which hosts and ports are required by Apple to use your devices on enterprise networks.

Apple has outlined their service's hosts and ports in this guide. 

Apple Support: Use Apple products on enterprise networks

Communication Flow

Below is a diagram demonstrating the standard flow of communication between Kandji, APNS, and managed Apple devices.

APNS diagram-3