Kandji 's Microsoft Device Compliance (MSDC) integration combines Kandji's device management and compliance features with Microsoft's conditional access capabilities. Built through Microsoft's device compliance partner program, this integration simplifies the setup and configuration process between Kandji and Microsoft and streamlines the deployment of required applications through the Kandji Library. Once configured and devices are registered with Microsoft, Kandji's device inventory and compliance data can be used in Microsoft Conditional Access policies. This ensures that only managed and compliant devices can access corporate resources. Kandji's MSDC integration supports macOS, iOS, and iPadOS devices.
Prerequisites
All Devices
Devices must be managed by Kandji
A Microsoft user directory integration must be set up in your Kandji tenant
A user from the configured directory integration must be assigned to the device record
Device users must be assigned a license for Intune
A Microsoft user account that can accept requested app permissions
Kandji must be configured as a device compliance partner in Intune
iOS and iPadOS Devices
Kandji Self Service must be deployed
The Microsoft Authenticator app from the Apple App Store must be assigned to Kandji via Apps and Books in Apple Business Manager or Apple School Manager
Microsoft Licensing: Enterprise Mobility + Security, which includes Microsoft Entra ID Premium and Microsoft Intune
Configuration Overview
Below are the basic steps required to set up and deploy Microsoft Device Compliance with Kandji.
Deploy Applications for end user device registration.
macOS - Configure the Microsoft Company Portal Auto App Library Item
iOS and iPadOS - Configure the Microsoft Authenticator Apps and Books Library Item
If you use Platform SSO with Microsoft Entra ID, please make sure this is deployed first, and have the user register with Platform SSO before registering with Microsoft Device Compliance.
If you do not utilize Platform SSO with Microsoft Entra ID, deploy Microsoft Single Sign-on Extension settings in the Single Sign-On Extension Library Item.
Set up and deploy Microsoft Single Sign-on Extension settings for configured device platforms. You can deploy the required settings using the Single-On Extension Library item or via a Custom Profile Library Item where you can upload a .mobileconfig file.
The Microsoft Single Sign-on Extension only needs to be deployed if it is not already deployed in your environment for the device platforms you have configured.