Deploy and update commonly used applications to your Mac fleet with Auto Apps
Auto Apps are pre-packaged applications ready to be instantly deployed through the Kandji Web App. Kandji also automatically allows these applications for Privacy Preferences Policy Control, Kernel Extensions, System Extensions, Rosetta 2 for Apple Silicon Devices, and Background Items for macOS Ventura and later. Notifications can be customized by the admin to manage the end user experience. Additionally, Kandji can manage and enforce updates for these applications. For more information, see our list of available Auto Apps.
- Adding an Auto App
- Configuring an Auto App
- Auto App Security Information
- End User Experience with Auto Apps
Adding an Auto App
- Click Library from the left-hand navigation bar.
- Click Add New from the right-hand side. Inside the 'Add Library Item' page, scroll down to view and select your desired Auto App. For this example, we used Figma.
- Click Add & Configure.
Kandji supports adding the same Auto App to your Library multiple times. This is useful when it's desired to configure differing settings for different Blueprints. For example, you can make an Auto App automatically install on devices in one Blueprint and have it be available in Self Service in another. Labels are used to differentiate multiple copies of the same Auto App. See below for additional information and an example.
Configuring an Auto App
- Enter a Label (1) to help differentiate this instance of the Auto App from others in your Library. These labels are NOT visible to end users but are displayed throughout the Kandji admin interface. For example, when configuring a Blueprint:
- Select a Blueprint (2) from the Assignment dropdown. Optionally add any Assignment Rules (3).
- Select an option from the Installation dropdown. Your options include the following:
- Continuously Enforce.
- Install-on-demand from Self Service.
- Optionally toggle on Self Service availability in addition to the enforcement above.
- Select an option from the Version Enforcement dropdown. Your options include the following:
- Do not manage updates
- Automatically enforce new updates
- Manually enforce a minimum version
- If you choose Automatically enforce new updates, select an Enforcement timeframe.
If you choose to Manually enforce a minimum version, select an Enforcement deadline date.
When a new update is released, it will be automatically cached on your end user's devices 5 days before to the enforcement deadline. End users will be notified of the pending installation after the app is successfully cached.
If you select an Enforcement timeframe or Enforcement deadline less than 5 days, from when an update is released by Kandji, it will be be automatically cached on your end users' devices, and they will be notified of the pending installation.
Select an Enforcement Time Zone to determine when to enforce the update.
Select an Enforcement Time to determine the exact time of day to enforce the update; the enforcement will be determined server-side based on the previously selected Enforcement Time Zone.
Select whether or not to manage notifications for the Auto App.
- If Unmanaged, the end user will have control over the notifications settings for this app.
- If an Auto App does not support notifications, the following message will be displayed: This application does not support notifications.
Select Disallow or Allow notifications.
- Disallow notifications will prevent the user from turning notifications on for this application.
- Allow notifications will force notifications on for this application, with customization options available below.
Configure your alert style, as well as any other desired behavior for the notifications.
Optionally Add the item to the Dock during install.
Once notification settings are modified, an updated Configuration Profile will not be redistributed until the next daily MDM check-in. To trigger an immediate check-in, run sudo kandji update-mdm on the client Mac.
For best practices moving from a Custom App to an Auto App, please see this article.
To learn more about Auto App settings, please see this article.
Other Important facts about Kandji Auto Apps
- All Auto App installers are signed with valid Developer ID certificates issued by Apple under the registered Apple Developer program used by Gatekeeper.
- These certificates, issued to either Kandji or a third-party vendor, establish a trust relationship that verifies the integrity of the installer.
- All Auto Apps will automatically install a profile via MDM to allow the application for notifications if they are configured to be managed.
- If an Auto App will install a profile to allow Kernel Extensions, Privacy Preferences Policy Control services, or background items for macOS Ventura and later, there will be a warning displayed in the Kandji Web App.
- When leveraging update enforcement, end users will begin receiving update alerts via the Kandji Menu bar icon starting 5 days before the enforcement deadline.
Auto App Security Information
Auto Apps are sourced directly from their respective software vendors, and Kandji performs strict signature validations during download and packaging to ensure the fidelity of all updates. These checks:
- Affirm the application code was properly signed using an Apple-issued certificate
- Verify the Apple-assigned Team Identifier equals the known identity of the registered developer
- Validate that the code signing identifier for the app bundle is identical to the expected value
- Assess notarization to certify no code-signing issues exist and software is free of any known malicious content
Additionally, the Auto App’s signing authority is confirmed as part of our comprehensive, internal QA. This validation:
- Establishes chain of trust by ensuring the app’s signing certificate was issued by Apple’s intermediate and root certificate authorities
- Guarantees the Auto App’s code signature is an exact match for the developer name and identifier
- These values are issued by Apple to confer trust and authority, and cannot be spoofed or falsified
End User Experience with Auto Apps
Since Auto Apps have the potential to notify end users of available updates, it is important to understand what the end user may experience.
End users will receive a banner notification starting 5 days before the enforcement deadline after the app has successfully been cached to their devices. If the enforcement deadline is less than 5 days, users are notified as soon as their devices check in and successfully cache the updated app for installation.
App Can't Be Opened: The end user will receive a banner notification if an update is in progress and they attempt to open the app.
Kandji will forcibly close an app once the update is initiated by the end user. Kandji will also prevent the app from being opened during the update. Once the update completes, the app will not automatically relaunch.
Updating Auto Apps inside the Kandji Menu Bar app
End users will notice that the Kandji Menu Bar app has a red dot indicating an action is required 5 days before the enforcement deadline. If the enforcement deadline is less than 5 days, the indicator will appear after the end users' devices check in with Kandji.
When clicking on the Kandji Menu Bar app dropdown, end users will see a list of available updates. Clicking on an update will show the Update Info page. Users can select the Update Apps button to install all pending updates.
Installing: After an end user starts an update via the Kandji Menu Bar app, they will see the installation progress.
Updates Complete: After an end user starts an update via the Kandji Menu Bar app and the installation completes, they will see green checkmarks next to each completed update.
Enforcement Deadline Reached
Once the Enforcement Deadline is reached, Kandji will silently update the app. If the application is open, the Kandji Menu Bar app will open, displaying a 5-minute countdown, giving the user time to close the application and save their work. If the apps are not closed by the end of the countdown, Kandji will forcibly close those apps. If the apps are closed before the end of the countdown, the updates will start immediately.
Delay 1 Hour: Users will also have the option to delay the enforced install by one hour, each hour, for up to an additional 24 hours. This helps prevent installations from disrupting critical activities during the working day.