Parameter Transition

Understand which Parameters are being transitioned and what action is required by Kandji administrators.

Transition Overview

Parameters within Kandji are being strategically transitioned towards Library Items to reflect a more modern and scaleable UI language, as well as to allow better flexibility within shared configurations among Blueprints within an instance. This transition is also driven by new enforcement mechanisms like full MDM control, versus agent-driven mechanisms.

Timelines 

In October of 2020, due to changes within macOS Big Sur, we transitioned 63 Parameters to Library Items; those Parameters can be found in the October 2020 - Transitioned Parameters section below. 

In addition to the October 2020 - Transitioned Parameters, 21 additional Parameters will be transitioned. These additional parameters can be found in the March 2022 - Transitioned Parameters section below. 


As of March 23, 2022, the Kandji Agent will stop enforcing all 84 of these transitioned Parameters on enrolled Mac computers; and on April 6, 2022, we will remove the transitioned Parameters from Kandji entirely.

Please note that although the Parameters will be removed from the Blueprint and device status areas, the Parameter history will remain in the activity areas. 

Action required

If you are currently using any of the Parameters listed below and want to enforce these controls on macOS Big Sur and later versions of macOS, you will need to migrate to the new Library Item or alternative control equivalent of the Parameter. 

Even if you have not transitioned your environment to Big Sur and later, we recommend migrating as soon as possible, as the Library Items will work for macOS Monterey, macOS Big Sur, and previous versions of macOS. You are not required to enable both the Parameter and Library Item to support multiple macOS versions in a single Blueprint.

How to migrate

In most cases, there is a direct Library Item equivalent to transitioned Parameters. Migrating to Library Item Parameter equivalents is straightforward, as macOS can usually have multiple of the same configuration profile installed at a time (although there are exceptions). 

To migrate, add the new Library Item to your Library and match the settings you have configured with Parameters in your Blueprints. Once you have these settings matched, assign the Library Item to the Blueprint. Once you have confirmed that the Library Item has successfully deployed to the bulk of your devices, you can disable the Parameter. 

March 2022 - Transitioned Parameters

Understand which Parameters are being transitioned and which Library Items you should leverage to replace them. Many of these new Library Items have additional new benefits, such as rotating the FileVault Key automatically.

macOS 12.3 considerations 

Mac computers that upgrade to macOS 12.3 prior to March 23, 2022, will not have any Parameters enforced by the Kandji Agent, due to compatibility issues. On March 23, 2022, all non-transitioned Parameters will begin being enforced once again. 

 

Parameter Alternative Control Additional Information
Custom Compliance Scripts Custom Scripts Library Item  
Disable Java 6 from being the default Java runtime None No longer a CIS requirement on macOS 10.14 or greater. 
Manage Adobe Flash Player Custom Script FlashPlayer went EOL on 12/31/2020, we recommend a full uninstall.
Disable Handoff Restrictions Profile  
Disable Siri Restrictions Profile   
Disallow Find My Mac None Not supported on macOS 10.14 or greater.
Force Install macOS updates after specified time period Managed OS Library Item Learn more
Disable the Infrared Receiver if no paired devices exist None  
Disable FTP Server None Not supported on macOS 10.13 or greater.
Set retention for authd.log

OSLog

(Configured by SIEM client)

Deprecated for OSLog
Set retention for appfirewall.log

OSLog

(Configured by SIEM client)

Deprecated for OSLog
Set retention for system.log

OSLog

(Configured by SIEM client)

Deprecated for OSLog
Advanced Password Management BETA Passcode Library Item  Please open feedback with Apple if the passcode profile does not fit your needs. 
Disable console login None Not supported on macOS 10.13 or greater.
Set a Firmware Password BETA Custom Script GitHub Resource
Restrict NTP server to loopback interface None Not supported on macOS 10.13 or greater.
Watchman Monitoring Client Custom App Learn more
Enable OCSP and CRL certificate checking None Not supported on macOS 10.13 or greater.
Disable Bluetooth Discoverable Mode when not pairing devices None Not required by CIS. We have had multiple reports of this parameter not functioning as expected. 
Manage display sleep interval
Screensaver Library Item Ensure display sleep interval is greater than Screen Saver interval.
Manage number of allowed firewall rules Firewall Library Item The CLI method leveraged to control this cannot be used on macOS 11 or greater in conjunction with the MDM payload.
Disable Internet Plug-Ins for global use in Safari None Plugin Support is no longer supported in Safari versions 14 or greater. 

 

October 2020 - Transitioned Parameters

Understand which Parameters are being transitioned and which Library Items you should leverage to replace them. Many of these new Library Items have additional new benefits, such as rotating the FileVault Key automatically.

Why are these Parameters being transitioned?

With macOS Big Sur and later, Apple has introduced security improvements that require profiles to be installed by a user through System Preferences, or by the MDM server the device is enrolled into. This change improves security and prevents privileged processes from installing configuration profiles silently.

For a minority of Parameters, the Kandji Agent installs configuration profiles to apply and enforce settings. In order to support the changes in macOS Big Sur and later, we have transitioned these Parameters to new Library Items where the configuration profile portions of the control are installed via MDM. 

Additionally, for some Library Items such as FileVault and Firewall, the agent logic has been improved to work alongside profiles when these Library Items are configured and continue to enforce settings beyond what configuration profiles can currently achieve. Examples include regenerating FileVault Recovery Keys for previously encrypted macOS devices, setting extended logging options for the macOS Firewall, or re-enabling the Firewall if manually disabled by a local administrator.

What to expect

Learn what to expect when devices upgrade to macOS Big Sur and later.

For your devices that are already enrolled into Kandji and upgrade to macOS Big Sur and later

The profiles installed by the Kandji Agent will not be removed until you disable the Parameter as part of migrating to the new Library Item equivalent. However, remediations will fail on macOS Big Sur and later if the profile is removed as the Kandji Agent will not be able to reinstall the profile via the Parameter. 

For devices running Big Sur and later that are enrolled into Kandji
The Kandji Agent will report these Parameters that install configuration profiles as Incompatible and will not install the configuration profile.

 

Parameter Library Item Replacement  Library Item Option
Enable FileVault 2 FileVault
FileVault enforcement
Escrow FileVault Recovery Keys to Kandji FileVault
Escrow recovery keys to Kandji
Manage Screen Saver Screen Saver Configure Screen Saver for Login Window, Configure Screen Saver for users
Restrict App Store app installs and software updates to admin users Software Update Restrict software updates to admins
Disable Beta Updates Software Update
Disallow install of macOS beta releases
Automatically check for updates Software Update
Check for updates
Automatically download and install security updates Software Update
Install system data files and security updates
Download macOS and App Store app updates in the background Software Update
Download new updates when available
Automatically install macOS updates Software Update

Install available macOS updates automatically

Automatically install App Store updates Software Update
Install App Store app updates
Delay software update availability Software Update Defer Software Updates
Disable software update notifications App Store
Disable software update notifications
Restrict App Store to software updates only App Store Block Mac App Store
Manage media access Media Access Manage Media Access
Disconnect all media at logout Media Access Disconnect all media at logout
Manage disc burning Media Access
Manage disc burning
Display login window as name and password Login Window Manage user visibility
Disable and remove password hints Login Window Manage password hints
Disable fast user switching menu Login Window Disable the fast user switching menu
Disable automatic logins Login Window Disable automatic login
Enforce a custom message for the lock screen Login Window Set Lock Message
Log out inactive users Login Window Automatically log out inactive users
Manage Gatekeeper Gatekeeper
Allow apps downloaded from
Disallow users from overriding Gatekeeper settings Gatekeeper Disallow users from overriding Gatekeeper Settings
Ensure Firewall is configured to log Firewall Ensure Firewall is configured to log
Enable Firewall Firewall
Firewall Status
Enable stealth mode Firewall
Stealth Mode
Block all incoming connections Firewall
Block All Incoming Connections
Block built-in apps from receiving incoming connections Firewall The "Automatically allow signed downloaded software" and "Automatically allow built-in software" options aren't supported, but both are forced ON when this payload is present.
Block downloaded apps from receiving incoming connections Firewall

The "Automatically allow signed downloaded software" and "Automatically allow built-in software" options aren't supported, but both are forced ON when this payload is present.

Enable detailed firewall logging Firewall
Ensure detailed firewall logging
Disable waking for network access Energy Saver
Wake for network access
Disable sleeping when connected to power Energy Saver Disable sleep
Disallow unlock with Apple Watch Restrictions Disallow using Apple Watch for device unlock
Disallow unlock with Touch ID Restrictions Disallow using Face ID / Touch ID for device unlock
Disallow sending diagnostic and usage data to Apple Restrictions Disallow sending diagnostics and usage data to Apple
Disable Content Caching Restrictions Disallow use of Content Caching service
Disallow AirDrop Restrictions Disallow AirDrop
Disallow password sharing via AirDrop Passwords Restrictions Disallow Password Sharing
Disable Camera Restrictions Disallow use of camera
Disable Safari AutoFill Restrictions Disallow Safari AutoFill
Disallow Safari Password AutoFill Restrictions Disallow AutoFill Passwords
Disallow Game Center Restrictions Disallow use of Game Center
Disallow iCloud Desktop & Documents Sync Restrictions Disallow iCloud Desktop & Documents
Disallow iCloud Drive Restrictions Disallow iCloud Drive
Disallow iCloud Photos Restrictions Disallow iCloud Photo Library
Disallow iCloud Mail Restrictions Disallow iCloud Mail
Disallow iCloud Contacts Restrictions Disallow iCloud Address Book
Disallow iCloud Calendar Restrictions Disallow iCloud Calendar
Disallow iCloud Reminders Restrictions Disallow iCloud Reminders
Disallow iCloud Bookmarks Restrictions Disallow iCloud Bookmarks
Disallow iCloud Notes Restrictions Disallow iCloud Notes
Disallow iCloud Keychain Sync Restrictions Disallow iCloud Keychain
Disallow password proximity requests Restrictions Disallow proximity based password sharing requests
Lock screen after Screen Saver or sleep begins Passcode Require Passcode After Sleep or Screen Saver Begins
Disallow simple passwords Passcode Disallow Simple Passcode
Maximum failed login attempts Passcode Maximum Failed Attempts Before Account Lockout
Account lockout duration Passcode Account Lockout Duration
Minimum number of complex characters Passcode Minimum Complex Characters
Minimum password length Passcode Minimum Passcode Length
Require alphanumeric password Passcode Require Alphanumeric Passcode
Maximum allowed password age Passcode Maximum Passcode Age
Password history Passcode Passcode History
Force user to reset password at next authentication Passcode Force Password Reset

Special consideration for migrating to the FileVault Library Item

When migrating to the new FileVault Library Item, special consideration needs to be made, as macOS can only have one FileVault Escrow profile installed at a time. 

  1. You will need to first disable both FileVault Parameters, and wait roughly 15-30 minutes for the majority of your devices to check-in and for the Kandji Agent to uninstall the manually installed configuration profiles. 
  2. After this, you will assign your new FileVault Library Item to the Blueprint being migrated. No end-user interaction/disturbance will occur as long as a FileVault key was previously escrowed. 
  3. Disabling the legacy FileVault Parameter(s) will NOT delete any currently escrowed FileVault Recovery Keys.

In the event that a device is not online for the Kandji Agent to uninstall the manually installed FileVault profiles prior to deploying the new Library Item, you may see the new Library Item initially fail to install due to macOS only allowing one of these profile types at a time. This error will self-correct at the next daily MDM check-in if the Kandji Agent has since removed the manually installed profile.

To initiate this remediation process manually, you can run the following commands locally. 

This command will force a check-in and will remove the FileVault profile (if the Parameter has been disabled).

sudo kandji run 

This command will force daily MDM check-in commands to run, triggering an install of the new FileVault Library Item. 

sudo kandji update-mdm