Auto Apps Overview

By Joe Wyatt-Borner

Automatically deploy and update commonly-used applications on your Mac computers with Auto Apps

What are Auto Apps?

Auto Apps are pre-packaged applications that are ready for instant deployment through the Kandji Web App. When you use Auto Apps, Kandji automatically handles several critical tasks for you:

  • Privacy Preferences Policy Control (PPPC): Kandji ensures that these applications comply with privacy settings.
  • System Extensions and Legacy Kernel Extensions: Auto Apps are automatically allowed to use necessary extensions.
  • Rosetta 2 for Apple Silicon Devices: If an Auto App requires Rosetta to run on a Mac with Apple Silicon, the Kandji agent will automatically check for and install Rosetta 2 as needed.
  • Background Items for macOS Ventura and Later: Auto Apps are seamlessly integrated into the background processes of macOS.
  • Customizable Notifications: Administrators can tailor notifications to manage the end user experience effectively.
  • Automated Updates: Kandji manages and enforces updates for these applications.

For more details, explore our list of available Auto Apps. To learn how to migrate from a Custom App to an Auto App, please see this support article

Adding an Auto App

  1. Select Library from the left-hand navigation bar.
  2. Select Add New from the right-hand side. 
  3. On the 'Add Library Item' page, select your desired Auto App. You can also use the search bar to filter available Library Items.
  4. Click Add & Configure next to the Library Item you'd like to add. For this example, we're using SAP Privileges.

Configuring an Auto App

If an Auto App installs a profile to allow Sytem Extensions, Privacy Preferences Policy Control services, or background items for macOS Ventura and later, a warning will be displayed in the Kandji Web App.
  1. If desired, add a Label.
  2. Select the Blueprint(s) you want to assign this Library Item to.
  3. Optionally, configure Assignment Rules.
  4. Select an option from the Installation dropdown. Your options include the following:
    • Continuously Enforce
    • Install-on-demand from Self Service
  5. Optionally, toggle on Self Service availability along with the enforcement method selected above.
  6. If this Library Item is available in Self Service, you must also configure a Category.
  7. Select an option from the Version Enforcement dropdown. Your options include the following:
    • Do not manage updates
    • Automatically enforce new updates
    • Manually enforce a minimum version
  8. If you choose Automatically enforce new updates, select an Enforcement timeframe.
  9. If you choose to Manually enforce a minimum version, select the Minimum Version and Enforcement deadline Date, Time, and Time Zone.
  10. If desired, you can Manage Notifications. When managing notifications, users cannot change the settings you configure. Additionally, when notification settings are modified, an updated Configuration Profile will not be redistributed until the next daily MDM check-in. To trigger an immediate check-in, run sudo kandji update-mdm locally on the Mac.
    • If Unmanaged, the end user will have control over the notifications settings for this app.
    • If an Auto App does not support notifications, the following message will be displayed: This application does not support notifications.
    • Disallow notifications will prevent the user from turning notifications on for this application.
    • Allow notifications will force notifications on for this application, with customization options available below.
  11. Optionally, select Add to Dock during install to add the app icon to the Dock.
  12. Click Save.

Auto App Update Enforcement Considerations

  • If Auto App updates are configured to be managed, they will automatically install a profile via MDM to allow the application to receive notifications.
  • When a new update is released, it will be automatically cached on your end users' devices immediately. After the app is successfully cached, end users will be notified of the pending installation.

  • You will need to select an Enforcement Time to determine when to enforce the update. The enforcement deadline will be determined server-side based on the selected Enforcement Time Zone.

  • When leveraging update enforcement, end users will receive update alerts via the Kandji Menu bar icon as soon as the update is cached locally on the device.

  • If a required Auto App update is available and the app is not open, Kandji Agent will update the app without requiring any user interaction.

Adding Multiple Auto Apps to Your Library

Kandji allows you to add the same Auto App to your Library multiple times. This feature is useful when configuring different settings for various Blueprints. For instance, you can set up an Auto App to automatically install on devices within one Blueprint, while making it available in Self Service for another. 

When you configure the same Auto App multiple times, you have the option to add a Label. This label helps distinguish each Auto App Library Item from others in your Library. These labels are NOT visible to end users but are displayed throughout the Kandji admin interface, as shown below:

Auto App Security Information

Auto Apps come directly from their respective software vendors. Kandji ensures the fidelity of all updates by performing strict signature validations during download and packaging. 

  • Code Signing Confirmation:
    • We affirm that the application code is properly signed using an Apple-issued certificate.
    • We verify that the Apple-assigned Team Identifier matches the known identity of the registered developer.
    • We validate that the code signing identifier for the app bundle exactly matches the expected value.
    • We assess notarization to certify that there are no code-signing issues and that the software is free of known malicious content.
  • Signing Authority Validation:
    • As part of our comprehensive internal QA, we confirm the signing authority for Auto Apps.
    • This process establishes a chain of trust by ensuring that the app’s signing certificate was issued by Apple’s intermediate and root certificate authorities.
    • It guarantees that the Auto App’s code signature precisely matches the developer’s name and identifier.
    • These values, issued by Apple, cannot be spoofed or falsified.

All Auto App installers are signed with valid Developer ID certificates issued by Apple under the registered Apple Developer program used by Gatekeeper. These certificates, issued either to Kandji or a third-party vendor, establish a trust relationship that verifies the integrity of the installer.

User Experience with Auto Apps

For information about the end user experience, please visit the User Experience with Auto Apps article.

Migrating from a Custom App to an Auto App

You may already deploy some Auto Apps as Custom Apps in your Kandj tenant. Follow these steps to migrate to an Auto App.

Deleting a Custom App Library Item will not remove the app from devices it is installed on.
  1. Add the Auto App to the same Blueprint.
  2. Using the steps from the Auto Apps Overview, deploy the Auto App that will replace your Custom App. This will not overwrite the app if it is already installed. However if the installed app is out of date, then your version enforcement options will apply and the end user may be prompted to update the app. 
  3. Delete the existing Custom App or make it Inactive.
  4. Remove existing PPPC or System Extension Profiles. If you have a System Extension or PPPC Profile in place for your Custom App, you may now delete it. Auto Apps automatically have their System Extension and PPPC requirements allowed via a Profile installed by Kandji.