1. Kandji Support
  2. Getting Started with Kandji

Getting Started with Kandji - Setup

  • Apple MDM Activation or Migration
  • Automated Device Enrollment and Apps & Books Integrations
  • User Sync Integration
  • Administrator Access
  • Library Items

Apple MDM Integration

Mobile Device Management (MDM) is a framework that is used to allow devices to be secured, controlled, and have policies enforced remotely. Kandji is a modern MDM specifically for Apple Devices. 

MDM with Apple relies on Apple’s Push Notification Services (APNS) to communicate with devices. In this article, we will create an APNS certificate to activate Kandji’s MDM capabilities. This step is required before you can enroll any devices.

A new APNS certificate should be generated for Kandji. Do not attempt to use an existing APNS certificate.

APNS certificates automatically expire annually. Each year you will renew your Kandji APNS Certificate. Kandji will alert you when this certificate should be renewed.

  1. Navigate to Settings in the left-hand navigation bar.
  2. Select the Integrations tab.
  3. On the right-hand side of the screen click the Configure MDM button. 

Using an Apple ID linked to your business email address, follow the step-by-step instructions provided to obtain an APNS certificate and activate MDM functionality. We recommend creating a new Managed Apple ID in Apple Business Manager with a naming convention of APNS@YourDomain.com to avoid any potential ownership obstacles. Here is an article on how to do so.

 

With MDM activated, let’s move on to further integrate Apple Business Manager with Automated Device Enrollment and Apps & Books.

 

Automated Device Enrollment and Apps & Books with Apple Business Manager

  • Automated Device Enrollment (formerly DEP) allows your organization’s devices to automatically enroll in Kandji when they are unboxed and connected to the internet.
  • Apps and Books (formerly VPP) allows you to deploy macOS and iOS App Store Apps and Books to your organization’s devices.

If you are not already enrolled in Apple Business Manager, you will want to do so with Apple here.

If you are migrating to Kandji from a previous MDM, ensure that you have added Kandji as a new “MDM Server” inside of Apple Business Manager and re-assigned your existing devices to Kandji Apple only allows one MDM assignment per device. 

 

We strongly recommend that you test the enrollment process at least once complete to ensure devices are enrolling into Kandji as expected. 

Assigning devices to Kandji in Apple Business Manager will not immediately enroll those devices. These devices will need to be enrolled manually, as automatic enrollment takes place during initial device setup. If you have questions, please reach out to the Kandji Support Team for help determining the best enrollment options.

 

To configure Automated Device Enrollment in your Kandji account take the following steps:

  1. Navigate to Settings in the left-hand navigation bar.
  2. Select the Integrations tab.
  3. Click the Configure button inside of Auto-Enroll.
  4. In the new window, follow all provided steps and select Done when finished.

    To configure Apps and Books take the following steps:

    1. Navigate to Settings in the left-hand navigation bar.
    2. Select the Integrations tab.
    3. Click the Configure button inside of Apps and Books.
    4. In the new window, follow all steps and select complete apps and books setup when finished. More detailed instructions can be found here.

      Now that Apple Business Manager is fully integrated, let's connect Office 365 or G Suite account to sync in users to easily identify which device belongs to who.

       

      User Directory Integration

      Kandji makes it simple to assign specific users to specific devices. Connect your company's G Suite or Office 365 account in order to add all of your employees automatically. Kandji will sync in new users automatically after the integration is complete.

      1. Navigate to Settings in the left-hand navigation bar.
      2. Select the Integrations tab. 
      3. Scroll down to User Integration and select G Suite or Office 365.
      4. Login to your G Suite or Office 365 global administrator account and accept the access terms Kandji requires to sync in your users.

         

        For more detailed information on syncing users see this article.

        While syncing users allows us to identify device owners, let’s identify and invite additional Administrators to Kandji. 

         

        Administrator Access

        Additional administrators can be added under the Team tab of the Settings section. 

        These are individuals you wish to give access to manage your Kandji Web App. (Not to be confused with end-users who will be assigned to enrolled devices.)

        1. Click Settings in the left-hand navigation bar.
        2. Select the Team tab.
        3. Click New User on the top right.
        4. Fill in the required fields and choose an appropriate access level for the new team member.

        Invitations expire after 24 hours. If 24 hours pass before the account is created, an existing administrator or account owner must resend the invitation from the Team tab under Settings.

         

        Library Items

         

        The Library section allows you to add and configure additional items such as Profiles, Scripts, App Store Apps, and upload your own Custom Apps that will be deployed to your devices.

        To add an item to your Library:

        1. Navigate to Library in the left-hand navigation bar.
        2. Click Add New from the top right of the screen.
        3. Click the Library item you wish to add and follow the instructions provided.

          Add as many Library items as you’d like. You can also sync in App Store Apps through your Apple Business Manager account once your Apps and Books Integration is complete. At a minimum, we recommend adding the Apps you know your devices will need for this initial setup. You can always add more Library items down the road and deploy them to your devices after set up.

          Adding in Custom Library items allows you to configure complex tasks your organization may require. For example, in this article, we show you how to create a Kernel Extension Profile.

          Note that library items are available for use in any Blueprint, however, some Library items are only compatible with certain platforms. For instance, you can only deploy a Kernel Extension Profile to a macOS device, and not iOS.

          If you are migrating to Kandji from a previous MDM, ensure that you have added Kandji as a new “MDM Server” inside of Apple Business Manager and re-assigned your existing devices to Kandji Apple only allows one MDM assignment per device. 

           

          We strongly recommend that you test the enrollment process at least once complete to ensure devices are enrolling into Kandji as expected.

          Assigning devices to Kandji in Apple Business Manager will not immediately enroll those devices. These devices will need to be enrolled manually, as automated enrollment takes place during initial device setup. If you have questions, please reach out to the Kandji Support Team for help determining the best enrollment options.

           

          Now that you have configured how you want your Kandji account to be set up, it is time to Define your device management strategy.

          Next: Getting Started with Kandji - Define