Auto Apps Overview

By Joe Wyatt-Borner

Deploy and update commonly used applications to your Mac fleet with Auto Apps

Auto Apps are pre-packaged applications ready to be instantly deployed through the Kandji Web App. Kandji also automatically allows these applications for Privacy Preferences Policy Control, Kernel & System Extensions, Rosetta 2 for Apple Silicon Devices, and Background Items for macOS Ventura and later. Notifications can be customized by the admin to manage the end user experience. Additionally, Kandji can manage and enforce updates for these applications. For more information, see our list of available Auto Apps.

Adding an Auto App

  1. Click Library from the left-hand navigation bar.
  2. Click Add New from the right-hand side. Inside the 'Add Library Item' page, scroll down to view and select your desired Auto App. For this example, we used SAP Privileges.
  3. Click Add & Configure.
Kandji supports adding the same Auto App to your Library multiple times. This is useful when it's desired to configure differing settings for different Blueprints. For example, you can make an Auto App automatically install on devices in one Blueprint and have it be available in Self Service in another. Labels are used to differentiate multiple copies of the same Auto App. See below for additional information and an example.

Configuring an Auto App

  1. Enter a Label (1) to help differentiate this instance of the Auto App from others in your Library. These labels are NOT visible to end users but are displayed throughout the Kandji admin interface. For example, when configuring a Blueprint:
  2. Select a Blueprint (2) from the Assignment dropdown. Optionally add any Assignment Rules (3).
  3. Select an option from the Installation dropdown. Your options include the following:
    • Continuously Enforce.
    • Install-on-demand from Self Service.
  4. Optionally toggle on Self Service availability in addition to the enforcement above.
  5. Select an option from the Version Enforcement dropdown. Your options include the following:
    • Do not manage updates
    • Automatically enforce new updates
    • Manually enforce a minimum version
  6. If you choose Automatically enforce new updates, select an Enforcement timeframe.
  7. If you choose to Manually enforce a minimum version, select an Enforcement deadline date.

    When a new update is released, it will be automatically cached on your end user's devices immediately. End users will be notified of the pending installation after the app is successfully cached.

  8. Select an Enforcement Time Zone to determine when to enforce the update.

  9. Select an Enforcement Time to determine the exact time of day to enforce the update; the enforcement will be determined server-side based on the previously selected Enforcement Time Zone.

  10. Select whether or not to manage notifications for the Auto App.

    • If Unmanaged, the end user will have control over the notifications settings for this app.
    • If an Auto App does not support notifications, the following message will be displayed: This application does not support notifications.
  11. Select Disallow or Allow notifications.

    • Disallow notifications will prevent the user from turning notifications on for this application.
    • Allow notifications will force notifications on for this application, with customization options available below.
  12. Configure your alert style, as well as any other desired behavior for the notifications.

  13. Optionally Add the item to the Dock during install.

  14. Click Save.

    Once notification settings are modified, an updated Configuration Profile will not be redistributed until the next daily MDM check-in. To trigger an immediate check-in, run sudo kandji update-mdm on the client Mac.

For best practices moving from a Custom App to an Auto App, please see this article.
To learn more about Auto App settings, please see this article.

Other Important Notes about Kandji Auto Apps

  • All Auto App installers are signed with valid Developer ID certificates issued by Apple under the registered Apple Developer program used by Gatekeeper.
  • These certificates, issued to either Kandji or a third-party vendor, establish a trust relationship that verifies the integrity of the installer.
  • If they are configured to be managed, all Auto Apps will automatically install a profile via MDM to allow the application to receive notifications.
  • If an Auto App will install a profile to allow Kernel Extensions, Privacy Preferences Policy Control services, or background items for macOS Ventura and later, there will be a warning displayed in the Kandji Web App.
  • When leveraging update enforcement, end users will begin receiving update alerts via the Kandji Menu bar icon as soon as the update has been cached locally on the device. When a required Auto App update is available, and the app is not open, Kandji Agent now updates that app without requiring any user interaction.  

Auto App Security Information

Auto Apps are sourced directly from their respective software vendors, and Kandji performs strict signature validations during download and packaging to ensure the fidelity of all updates. These checks:

  • Affirm the application code was properly signed using an Apple-issued certificate
  • Verify the Apple-assigned Team Identifier equals the known identity of the registered developer
  • Validate that the code signing identifier for the app bundle is identical to the expected value
  • Assess notarization to certify no code-signing issues exist and software is free of any known malicious content

Additionally, the Auto App’s signing authority is confirmed as part of our comprehensive, internal QA. This validation:

  • Establishes chain of trust by ensuring the app’s signing certificate was issued by Apple’s intermediate and root certificate authorities
  • Guarantees the Auto App’s code signature is an exact match for the developer name and identifier
    • These values are issued by Apple to confer trust and authority, and cannot be spoofed or falsified

User Experience with Auto Apps

For information about the end user experience, please visit the User Experience with Auto Apps article.