What's the difference between the Kandji Agent and MDM? Which piece does what?
What Is the Kandji Agent?
Kandji's proprietary macOS agent extends the functionality of our platform beyond what the MDM framework can achieve by itself. The Kandji Agent is custom-built using Swift, a streamlined programming language specifically designed for macOS. For more information about Kandji, you can read our platform overview.
What Is the MDM Framework?
Using Apple's MDM framework in macOS, iOS, iPadOS, and tvOS, administrators can deploy and configure apps and settings, collect device information, and remotely lock or wipe devices. This can be done with corporate-owned as well as BYOD devices.
One advantage of using Apple's MDM framework is how quickly it can communicate with devices. That means commands (such as to lock or erase devices) are implemented almost instantly. This is made possible by the Apple Push Notification service (APNs). Apple devices are constantly polling APNs for notifications requesting that managed devices check in with their MDM servers. Because of this constant polling, management of online devices can happen almost instantly.
Which Actions Are Performed by the Kandji Agent?
- Parameters: Most Parameters go beyond the MDM framework. For example, the Manage SSH Config parameter requires the agent to write to the SSH config file.
- Collection of additional computer details: The full application list, as well as other system details, can not always be pulled via the MDM framework. The Kandji agent helps pull these other details.
- Native Application Blocking: The agent handles the ability to block applications and present the Kandji dialog window.
- Scripts: All scripts are run as root by the Kandji Agent.
- Custom Apps: Installation of DMG, PKG, and ZIP files. Running the audit, pre-install, and post-install scripts and forcing restarts if that option is enabled.
- Auto Apps: Installation and enforced updates for Auto Apps are handled via the Kandji agent.
- Endpoint Detection and Response: EDR and its associated scans are completed using the agent.
Which Items does MDM Handle?
- Profile Installation: MDM profiles are delivered via the MDM protocol.
- MDM Commands: Commands such as those available in the device Action menu are sent via the MDM protocol.
- Apps and Books installation (formerly VPP): Apps acquired via Apple Business Manager and deployed via Kandji are installed by leveraging the MDM protocol.
- Over-the-air enrollment profiles: When users navigate to the enrollment portal and download the enrollment profile, the communication between the device and Kandji to enroll the device is done via the MDM protocol.
- Automated Device Enrollment (formerly DEP): Automated Device Enrollment leverages the MDM protocol to enroll devices during setup.
- Kandji Agent installation: When a macOS device is enrolled into Kandji, one of the first commands initiated is the InstallEnterpriseApplication command to install the Kandji Agent.
- Kandji Agent re-installation: When a macOS device has checked in via MDM in the last 7 days, but not via the Kandji Agent in the last 7 days, an InstallEnterpriseApplication command will be automatically sent in an attempt to reinstall the Kandji Agent.