Custom Scripts Overview

By Joe Wyatt-Borner

Learn about the Custom Script Library Item and how to leverage the power of custom scripts.


Custom scripts can be deployed to run on your enrolled Mac devices. The Kandji Agent is leveraged to run Custom Scripts on Mac computers.


This Library Item supports assignment rules. Define criteria to assign this item to a subset of devices within a Blueprint.


Execution Frequency

Depending on the script you want to deploy, you can specify if it will be run once, at every check-in, once per day, or run on-demand from Self Service. 

  • Install once per device: The script will run once per device. If the script fails, this will still count as its "one run."
  • Run every 15 min: The script will be run at each check-in (~ every 15 minutes).
  • Run daily: The script will be run every 24 hours based on the previous run time.
    • The Custom Script Library item can additionally be offered via Self Service in the above 3 scenarios
  • Run on-demand from Self Service: The script will never be run automatically and will only be offered as an optional item from Self Service. After the item is executed, the Run button will be relabeled Run again.

Default Shell and Executing User

Understand what shells and interpreters can be specified for a custom script, as well as what user custom scripts are run as. 

  • Any shell or interpreter that exists on the Mac computer can be specified in your custom script. If a shell or interpreter is not specified, the default shell is used (/bin/sh). 
  • Custom scripts run by the Kandji Agent are always executed as the root user.

Exit Codes and Outputs

Understand how script exit codes affect Custom Scripts status as well as what output from custom scripts is collected and stored.

  • If a script exits with an exit code of 0, this is considered to be a passing result. If the script exits with an exit code other than 0, this is considered an Alert/Failure.
  • Stdout and Stderr are recorded to the audit information for a script, which can be found on the device status page or custom script status page. 

Remediation and Restart options

Understand what a remediation script is and how the restart option works within custom scripts. 

  • A remediation script allows the main Audit Script to be leveraged as a true audit script to check for system configuration or application state. If this audit script exits with an exit code other than 0, this is considered an audit failure, and the remediation script will then be run.
    • If the remediation script then exits with an exit code of 0, the status of the library item for that device will be Remediated. If the remediation script fails, the library item status for that device will be Alert.
  • The restart option allows you to force a restart after successful script execution. When this option is selected, the user will receive a 30-minute restart timer from the Kandji Agent menu bar application. The restart option will behave differently based on the use of a remediation script.
    • If a Remediation script is being leveraged, when the remediation script exits 0, this will trigger the restart countdown. 
    • If a Remediation script is not being leveraged, when the Audit script exits 0, this will trigger the restart countdown.