1. Kandji Support
  2. Getting Started with Kandji

Getting Started with Kandji: Setup

  • Apple MDM Activation or Migration
  • Automated Device Enrollment and Apps & Books Integrations
  • User Sync Integration
  • Administrator Access
  • Library Items

Apple Push Notification Service Integration

Mobile Device Management (MDM) is a framework that allows devices to be secured and controlled and to have policies enforced remotely. Kandji is a modern MDM specifically for Apple devices. 

MDM for Apple relies on the Apple Push Notification service (APNs) to communicate with devices. In this article, we will explain how to create an APNs certificate to activate Kandji’s MDM capabilities. This step is required before you can enroll any devices.

A new APNs certificate should be generated for Kandji. Do not attempt to use an existing APNs certificate.

APNs certificates automatically expire annually. Each year you will need to renew your Kandji APNs certificate. Kandji will alert you when this certificate should be renewed.

  1. Navigate to Settings in the left-hand navigation bar.
  2. Select the Integrations tab.
  3. On the right-hand side of the screen click the Configure APNs button. 

Using an Apple ID linked to your business email address, follow the step-by-step instructions provided to obtain an APNs certificate and activate MDM functionality. We recommend creating a new Managed Apple ID in Apple Business Manager with a naming convention of APNS@YourDomain.com to avoid any potential ownership obstacles. Here is an article on how to do so.

With APNs configured, you can further integrate Apple Business Manager with Automated Device Enrollment and Apps & Books.

Automated Device Enrollment and Apps & Books with Apple Business Manager

  • Automated Device Enrollment (formerly DEP) allows your organization’s devices to automatically enroll in Kandji when they are unboxed and connected to the internet.
  • Apps & Books (formerly VPP) allows you to deploy macOS and iOS App Store apps and books to your organization’s devices.

If you are not already enrolled in Apple Business Manager, you will want to do so with Apple here.

If you are migrating to Kandji from a previous MDM, be sure that you have added Kandji as a new MDM server inside of Apple Business Manager and reassigned your existing devices to Kandji. Apple allows only one MDM assignment per device. 

We strongly recommend that you test the enrollment process at least once completely to be sure devices are enrolling into Kandji as expected. 

Assigning devices to Kandji in Apple Business Manager will not immediately enroll those devices. These devices will need to be enrolled manually, as automatic enrollment takes place during initial device setup. If you have questions, please reach out to Kandji Support for help determining the best enrollment options.

To configure Automated Device Enrollment in your Kandji account:

  1. Navigate to Settings in the left-hand navigation bar.
  2. Select the Integrations tab.
  3. Click the Configure button inside of Automated Device Enrollment.
  4. In the new window, follow all provided steps and select Done when finished.

    To configure Apps & Books:

    1. Navigate to Settings in the left-hand navigation bar.
    2. Select the Integrations tab.
    3. Click the Configure button inside of Apps and Books.
    4. In the new window, follow all steps and select Complete Apps and Books setup when finished. More detailed instructions can be found here.

      Now that Apple Business Manager is fully integrated, you can connect your organization's Office 365 or G Suite account to sync users and to identify which device belongs to which user.

      User Directory Integration

      Kandji makes it simple to assign specific users to specific devices. Connect your company's Office 365 or G Suite account in order to add all of your employees automatically. Kandji will sync in new users automatically after the integration is complete.

      1. Navigate to Settings in the left-hand navigation bar.
      2. Select the Integrations tab. 
      3. Scroll down to User Integration and select G Suite or Office 365.
      4. Log in to your G Suite or Office 365 global administrator account and accept the access terms Kandji requires to sync in your users.

        For more detailed information on syncing users see this article.

        Administrator Access

        Additional administrators can be added under the Access tab of the Settings section. 

        These are individuals you wish to give access to manage your Kandji web app, not end-users who will be assigned to enrolled devices.

        1. Click Settings in the left-hand navigation bar.
        2. Select the Access tab.
        3. Click New User on the top right.
        4. Fill in the required fields and choose an appropriate access level for the new team member.

        Invitations expire after 24 hours. If 24 hours pass before the account is created, an existing administrator or account owner must resend the invitation from the Access tab under Settings.

        Library Items

        The Library section allows you to add and configure additional items such as profiles, scripts, App Store apps, and custom apps that will be deployed to your devices. To add an item to your library:

        1. Navigate to Library in the left-hand navigation bar.
        2. Click Add New from the top right of the screen.
        3. Click the library item you wish to add and follow the instructions provided.

          Add as many library items as you’d like. You can also sync in App Store apps through your Apple Business Manager account once your Apps & Books integration is complete. At a minimum, we recommend adding the apps you know your devices will need for this initial setup. You can always add more library items down the road and deploy them to your devices after setup.

          Adding custom library items allows you to configure complex tasks your organization may require. For example, in this article, we show you how to create a Kernel Extension Profile.

          Note that, while library items are available for use in any Blueprint, some library items are compatible only with certain platforms. For instance, you can only deploy a Kernel Extension Profile to a macOS device but not to an iOS device.

          Now that you have configured your Kandji account setup, it is time to define your device management strategy.

          Next: Getting Started with Kandji: Define