Auto Apps Overview

By Joe Wyatt-Borner

Automatically deploy and update commonly-used applications on your Mac computers with Auto Apps

What are Auto Apps?

Auto Apps are pre-packaged applications that are ready for instant deployment through the Kandji Web App. When you use Auto Apps, Kandji automatically handles several critical tasks for you:

  • Automated Updates - Kandji manages and enforces updates for these applications.
  • Background Items for macOS Ventura and Later - Auto Apps are seamlessly integrated into the background processes of macOS.
  • Customizable Notifications - Administrators can tailor notifications to manage the end user experience effectively.
  • Privacy Preferences Policy Control (PPPC) - Kandji ensures that these applications comply with privacy settings.
  • Rosetta 2 for Apple Silicon Devices - If an Auto App requires Rosetta to run on a Mac with Apple Silicon, the Kandji agent will automatically check for and install Rosetta 2 as needed.
  • System Extensions and Legacy Kernel Extensions - Auto Apps are automatically allowed to use necessary extensions.

For a full list of Auto Apps, see our Available Auto Apps support article.

Adding an Auto App

  1. Select Library from the left-hand navigation bar.
  2. Select Add New from the right-hand side. 
  3. On the 'Add Library Item' page, select your desired Auto App. You can also use the search bar to filter available Library Items.
  4. Click Add & Configure next to the Library Item you'd like to add. For this example, we're using SAP Privileges.

Configuring an Auto App

If an Auto App installs a profile to allow Sytem Extensions, Privacy Preferences Policy Control services, notifications, or background items for macOS Ventura and later, a warning will be displayed in the Kandji Web App.
  1. If desired, add a Label.
  2. Select the Blueprint(s) you want to assign this Library Item to.
  3. Select an option from the Installation dropdown. Your options include the following:
    • Continuously Enforce
    • Install-on-demand from Self Service
    • Update Only
  4. If you choose to Continuously enforce, you can toggle on Self Service availability along with the enforcement method selected above.
  5. If this Library Item is available in Self Service, you must also configure a Category.
  6. Select an option from the Version Enforcement dropdown. Your options include the following:
    • Do not manage updates
    • Automatically enforce new updates
    • Manually enforce a minimum version
  7. If you choose Automatically enforce new updates, select an Enforcement timeframe and Time Zone. You can also choose to enforce updates in the device's local time zone.
  8. If you choose to Manually enforce a minimum version, select the Minimum Version and Enforcement deadline Date, Time, and Time Zone. You can also choose to enforce updates in the device's local time zone.
  9. If desired, you can Manage Notifications. When managing notifications, users cannot change the settings you configure. Additionally, when notification settings are modified, an updated Configuration Profile will not be redistributed until the next daily MDM check-in. To trigger an immediate check-in, run sudo kandji update-mdm locally on the Mac.
    • If Unmanaged, the end user will have control over the notifications settings for this app.
    • If an Auto App does not support notifications, the following message will be displayed: This application does not support notifications.
    • Disallow notifications will prevent the user from turning notifications on for this application.
    • Allow notifications will force notifications on for this application, with customization options available below.
  10. Optionally, select Add to Dock during install to add the app icon to the Dock.
  11. If needed, configure Preinstall and/or Postinstall scripts that should run with your Auto App.
  12. Click Save.

Update Only

For applications you don't want to deploy to your devices or make available in Self-Service, you can enable Update Only. This configuration will enforce available updates to existing installations following your enforcement settings, but will not deploy the app to any devices where it isn't already installed. Additionally, Auto Apps in Update Only mode will not deploy relevant profiles for Sytem Extensions, Privacy Preferences Policy Control services, notifications,or background items.

Auto App Update Enforcement Considerations

Notifications

  • If Auto App updates are configured to be managed, they will automatically install a profile via MDM to allow the application to receive notifications.

Enforcement

  • If enforcement options are chosen and an application is below the required minimum version, setting the installation method to "Update Only" will ensure that updates are applied to applications installed outside of Kandji, as long as the Bundle ID matches. This setting will not install the app via Kandji if it is not already present; it will only keep the app up to date.
  • Similarly, when enforcement options are selected and the application version is below the minimum enforced version, setting the installation method to Install on-demand from Self-Service will also apply updates to applications installed outside of Kandji, provided the Bundle ID matches.
  • When a new update is released, it is automatically cached on users' devices immediately. After the app is successfully cached, if the app is running, users are notified of the pending installation. If the app is not running, Kandji Agent will update the app silently without requiring any user interaction.
  • You must select an Enforcement Time to determine when to enforce the update. The enforcement deadline can be based on either server-side time or local device time, depending on your selected Enforcement Time Zone.

User Experience

  • When leveraging update enforcement, end users will receive update alerts via the Kandji Menu bar icon once the update is cached locally on the device. If a required Auto App update is available and the app is not open, Kandji Agent will update the app silently without requiring any user interaction.
  • For detailed information about the end user experience, please visit our User Experience with Auto Apps article.

Adding Multiple Auto Apps to Your Library

Kandji allows you to add the same Auto App to your Library multiple times. This feature is useful when configuring different settings for various Blueprints. For instance, you can set up an Auto App to automatically install on devices within one Blueprint while making it available in Self Service for another. 

When you configure the same Auto App multiple times, you can add a Label. This label helps distinguish each Auto App Library Item from others in your Library. These labels are NOT visible to end users but are displayed throughout the Kandji admin interface, as shown below:

Auto App Security Information

Auto Apps come directly from their respective software vendors. Kandji ensures the fidelity of all updates by performing strict signature validations during download and packaging. 

Code Signing Confirmation:

  • We affirm that the application code is properly signed using an Apple-issued certificate.
  • We verify that the Apple-assigned Team Identifier matches the known identity of the registered developer.
  • We validate that the code signing identifier for the app bundle exactly matches the expected value.
  • We assess notarization to certify that there are no code-signing issues and that the software is free of known malicious content.

Signing Authority Validation:

  • As part of our comprehensive internal QA, we confirm the signing authority for Auto Apps.
  • This process establishes a chain of trust by ensuring that the app’s signing certificate was issued by Apple’s intermediate and root certificate authorities.
  • It guarantees that the Auto App’s code signature precisely matches the developer’s name and identifier.
  • These values, issued by Apple, cannot be spoofed or falsified.

All Auto App installers are signed with valid Developer ID certificates issued by Apple under the registered Apple Developer program used by Gatekeeper. These certificates, issued either to Kandji or a third-party vendor, establish a trust relationship that verifies the integrity of the installer.

Migrating from a Custom App to an Auto App

You may already deploy some Auto Apps as Custom Apps in your Kandj tenant. To migrate to an Auto App, follow these steps.

Deleting a Custom App Library Item will not remove the app from devices it is installed on.
  1. Add the Auto App to the same Blueprint.
  2. Using the steps from the Auto Apps Overview, deploy the Auto App that will replace your Custom App. This will not overwrite the app if it is already installed. However if the installed app is out of date, then your version enforcement options will apply and the end user may be prompted to update the app. 
  3. Delete the existing Custom App or make it Inactive.
  4. Remove existing PPPC or System Extension Profiles. If you have a System Extension or PPPC Profile in place for your Custom App, you may now delete it. Auto Apps automatically have their System Extension and PPPC requirements allowed via a Profile installed by Kandji.