Using Kandji on Enterprise Networks

By Gwynn Clark

Learn which hosts and ports are required to manage your Apple devices with Kandji

Overview

Some organizations may create Enrollment Only networks or put Proxies in place to limit access to the public internet. In these situations, it is important to ensure that your Apple devices can communicate with Apple's networks and Kandji to complete enrollment and management tasks.

Required Domains & Ports

When creating firewall rules for these ports, outbound traffic will need to be allowed.

US-hosted Region

Domain
Ports
Protocol
OS
Description
kandji-prd.s3.amazonaws.com443TCPmacOSUsed by macOS devices to download the Kandji Agent & Custom Apps uploaded to your Kandji Instance
kandji-prd-managed-library-items.s3.amazonaws.com443TCPmacOSUsed by macOS devices to download Auto Apps
managed-library.kandji.io443TCPmacOSUsed by macOS devices to download Auto Apps
UUID.web-api.kandji.io443TCPAll

Used to communicate with Kandji via the MDM protocol, and by the Kandji Agent
Domain is unique per Kandji instance

UUID.devices.us-1.kandji.io
443TCPAll

Will replace UUID.web-api.kandji.io domain in a future product update for new device enrollments as the domain used MDM Check-In URL and Kandji Agent communication

Used to communicate with Kandji via the MDM protocol, and by the Kandji Agent
Domain is unique per Kandji instance

subdomain.web-api.kandji.io443TCPAll

Used to download MDM Enrollment Profile

subdomain.kandji.io443TCPAll

Used to access the Kandji web app

*.iot.kandji.io443TCPAllUsed for device telemetry communications
browser-intake-datadoghq.com443TCPAllUsed for release management and platform monitoring
events.launchdarkly.com443TCPAllUsed for release management and platform monitoring

EU-hosted Region

Domain
Ports
Protocol
OS
Description
kandji-prd-eu.s3.amazonaws.com443TCPmacOSUsed by macOS devices to download the Kandji Agent & Custom Apps uploaded to your Kandji Instance
kandji-prd-eu-managed-library-items.s3.amazonaws.com443TCPmacOSUsed by macOS devices to download Auto Apps
managed-library.eu.kandji.io443TCPmacOSUsed by macOS devices to download Auto Apps
UUID.web-api.eu.kandji.io443TCPAll

Used to communicate with Kandji via the MDM protocol and by the Kandji Agent
Domain is unique per Kandji instance

UUID.devices.eu.kandji.io
443TCPAll

Will replace UUID.web-api.kandji.io domain in a future product update for new device enrollments as the domain used MDM Check-In URL and Kandji Agent communication

Used to communicate with Kandji via the MDM protocol and by the Kandji Agent
Domain is unique per Kandji instance

subdomain.web-api.eu.kandji.io443TCPAll

Used to download MDM Enrollment Profile

subdomain.eu.kandji.io443TCPAll

Used to access the Kandji web app

*.iot.eu.kandji.io443TCPAll

Used for device telemetry communications

browser-intake-datadoghq.com443TCPAllUsed for release management and platform monitoring
events.launchdarkly.com443TCPAllUsed for release management and platform monitoring

 

Note that the UUID preceding .web-api.kandji.io is unique to every Kandji instance. To find your company's unique URL reference the following section.


Active Directory Certificate Services Network Requirements

For more information about the Active Directory Certificate Services integration, please see the AD CS overview support article.

Source
Destination
Destination domains
Port
Protocol
Description
AD CS ConnectorKandji tenant{subdomain}.kandji.io
{subdomain}.eu.kandji.io
443TCPUsed during initial Connector setup when connecting the AD CS Connector to the customer's Kandji tenant
AD CS ConnectorAuth0*.auth0.com443TCPMultiple subdomains used for the initial WebView authentication to set up the connector, not leveraged for ongoing authentication
AD CS ConnectorAuth0auth.kandji.io
auth.eu.kandji.io
443TCPUsed when authenticating the AD CS Connector to the customer's Kandji tenant during initial setup and when initializing WebSocket communications
AD CS ConnectorKandji tenant
{subdomain}.clients.us-1.kandji.io
{subdomain}.clients.eu.kandji.io
443TCPUsed for API communications between the AD CS Connector and the customer's Kandji tenant
AD CS ConnectorKandji ADCS serviceadcsconn.kandji.io
adcsconn.eu.kandji.io
443WebSocketUsed to facilitate certificate requests This connection is only for communications between the Kandji AD CS Connector and the customer's Kandji tenant in the context of fulfilling certificate requests
AD CS ConnectorWindows AD CSWindows AD CS CA server(s) in the customer's environmentRandom port in the 50000 rangeMRPCThe Kandji AD CS Connector is used to communicate with Microsoft AD CS CA servers within the customer's internal network when facilitating certificate requests

Port is randomly defined by the protocol


Determine Your Organization's Unique Device Domains

Your unique device domains are used by enrolled devices in order to communicate with Kandji via the MDM protocol and the Kandji Agent for macOS.

You can view these unique domains by logging into your instance and following these steps.

  1. Click Settings on the lower left-hand corner. 
  2. On the General tab, you will see the Device Domains panel, these two domains are used by devices for MDM and Agent communication.

To determine the specific Domain being used by an individual Mac computer, you can run the following command in Terminal. 

system_profiler SPConfigurationProfileDataType | awk -v FS='(https://|/mdm)' '/CheckInURL/ {print $2}'

SSL/TLS Inspection

The Kandji macOS Agent leverages a common best practice of certificate pinning to ensure that it will only communicate with trusted servers and prevent its traffic from being intercepted and inspected (MITM attack prevention).

This may pose a challenge if your network or proxy administrator is decrypting all SSL/TLS traffic by default. Please ask your network administrator to exempt the 2 device domains in your instance from inspection.

Please note that even if you deploy your content filter's CA as a trusted root CA to your macOS devices; SSL/TLS inspection will still cause the Kandji Agent to not communicate with Kandji. 

Apple required hosts and ports

Apple has outlined their service's hosts and ports in this guide. 

Apple Support: Use Apple products on enterprise networks

Communication Flow

Below is a diagram demonstrating the standard flow of communication between Kandji, APNs, and managed Apple devices.


TLS Versions and Cipher Suites

Per Apple's Platform Security guide, built-in apps and services on macOS, iOS, tvOS, and iPadOS devices will automatically prefer cipher suites with perfect forward secrecy. This is also true in the case where a developer uses a high-level networking API such as CFNetwork. The Kandji agent leverages these high-level networking APIs.

We encourage you to read Apple's Platform Security Guide in order to better understand these features, especially the TLS network security section, which can be found here.

Apple Platform Security guide: TLS network security

As previously mentioned, the domain used for MDM and agent communication is unique to your instance (UUID.web-api.kandji.io) you can inspect this domain using a tool such as Qualys SSL Server Test to understand which ciphers are currently supported by Kandji. You can see a brief overview below.

Protocols

TLS 1.3No
TLS 1.2Yes*
TLS 1.1Yes
TLS 1.0Yes*
SSL 3No
SSL 2No
(*) Server negotiated using No-SNI

Cipher Suites

TLS 1.2 in server preferred order
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256 
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA 
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS 1.1 in server preferred 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS 1.0 in server preferred 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA