Understand which Parameters are being transitioned and what action is required by Kandji administrators.
Transition Overview
Parameters within Kandji are being strategically transitioned towards Library Items to reflect a more modern and scaleable UI language, as well as to allow better flexibility within shared configurations among Blueprints within an instance. This transition is also driven by new enforcement mechanisms like full MDM control versus agent-driven mechanisms.
Timelines
In October of 2020, due to changes within macOS Big Sur, we transitioned 63 Parameters to Library Items; those Parameters can be found in the October 2020 - Transitioned Parameters section below.
In addition to the October 2020 - Transitioned Parameters, 21 additional Parameters will be transitioned. These additional parameters can be found in the March 2022 - Transitioned Parameters section below.
As of March 23, 2022, the Kandji Agent will stop enforcing all 84 of these transitioned Parameters on enrolled Mac computers; and on April 6, 2022, we will remove the transitioned Parameters from Kandji entirely.
Please note that although the Parameters will be removed from the Blueprint and device status areas, the Parameter history will remain in the activity areas.Action required
If you are currently using any of the Parameters listed below and want to enforce these controls on macOS Big Sur and later versions of macOS, you will need to migrate to the new Library Item or alternative control equivalent of the Parameter.
Even if you have not transitioned your environment to Big Sur and later, we recommend migrating as soon as possible, as the Library Items will work for macOS Ventura, macOS Monterey, macOS Big Sur, and previous versions of macOS. You are not required to enable both the Parameter and Library Item to support multiple macOS versions in a single Blueprint.
How to migrate
In most cases, there is a direct Library Item equivalent to transitioned Parameters. Migrating to Library Item Parameter equivalents is straightforward, as macOS can usually have multiple of the same configuration profile installed at a time (although there are exceptions).
To migrate, add the new Library Item to your Library and match the settings you have configured with Parameters in your Blueprints. Once you have these settings matched, assign the Library Item to the Blueprint. Once you have confirmed that the Library Item has successfully deployed to the bulk of your devices, you can disable the Parameter.
March 2022 - Transitioned Parameters
Understand which Parameters are being transitioned and which Library Items you should leverage to replace them. Many of these new Library Items have additional new benefits, such as rotating the FileVault Key automatically.
macOS 12.3 considerations
Mac computers that upgrade to macOS 12.3 prior to March 23, 2022, will not have any Parameters enforced by the Kandji Agent, due to compatibility issues. On March 23, 2022, all non-transitioned Parameters will begin being enforced once again.
| Parameter | Alternative Control | Additional Information |
| Custom Compliance Scripts | Custom Scripts Library Item | |
| Disable Java 6 from being the default Java runtime | None | No longer a CIS requirement on macOS 10.14 or greater. |
| Manage Adobe Flash Player | Custom Script | FlashPlayer went EOL on 12/31/2020, we recommend a full uninstall. |
| Disable Handoff | Restrictions Profile | |
| Disable Siri | Restrictions Profile | |
| Disallow Find My Mac | None | Not supported on macOS 10.14 or greater. |
| Force Install macOS updates after specified time period | Managed OS Library Item | Learn more |
| Disable the Infrared Receiver if no paired devices exist | None | |
| Disable FTP Server | None | Not supported on macOS 10.13 or greater. |
| Set retention for authd.log | OSLog (Configured by SIEM client) | Deprecated for OSLog |
| Set retention for appfirewall.log | OSLog (Configured by SIEM client) | Deprecated for OSLog |
| Set retention for system.log | OSLog (Configured by SIEM client) | Deprecated for OSLog |
| Advanced Password Management BETA | Passcode Library Item | Please open feedback with Apple if the passcode profile does not fit your needs. |
| Disable console login | None | Not supported on macOS 10.13 or greater. |
| Set a Firmware Password BETA | Custom Script | GitHub Resource |
| Restrict NTP server to loopback interface | None | Not supported on macOS 10.13 or greater. |
| Watchman Monitoring Client | Custom App | Learn more |
| Enable OCSP and CRL certificate checking | None | Not supported on macOS 10.13 or greater. |
| Disable Bluetooth Discoverable Mode when not pairing devices | None | Not required by CIS. We have had multiple reports of this parameter not functioning as expected. |
Manage display sleep interval | Screensaver Library Item | Ensure display sleep interval is greater than Screen Saver interval. |
| Manage number of allowed firewall rules | Firewall Library Item | The CLI method leveraged to control this cannot be used on macOS 11 or greater in conjunction with the MDM payload. |
| Disable Internet Plug-Ins for global use in Safari | None | Plugin Support is no longer supported in Safari versions 14 or greater. |
October 2020 - Transitioned Parameters
Understand which Parameters are being transitioned and which Library Items you should leverage to replace them. Many of these new Library Items have additional new benefits, such as rotating the FileVault Key automatically.
Why are these Parameters being transitioned?
With macOS Big Sur and later, Apple has introduced security improvements that require profiles to be installed by a user through System Preferences or by the MDM server the device is enrolled into. This change improves security and prevents privileged processes from installing configuration profiles silently.
For a minority of Parameters, the Kandji Agent installs configuration profiles to apply and enforce settings. In order to support the changes in macOS Big Sur and later, we have transitioned these Parameters to new Library Items where the configuration profile portions of the control are installed via MDM.
Additionally, for some Library Items such as FileVault and Firewall, the agent logic has been improved to work alongside profiles when these Library Items are configured and continue to enforce settings beyond what configuration profiles can currently achieve. Examples include regenerating FileVault Recovery Keys for previously encrypted macOS devices, setting extended logging options for the macOS Firewall, or re-enabling the Firewall if manually disabled by a local administrator.
What to expect
Learn what to expect when devices upgrade to macOS Big Sur and later.
For your devices that are already enrolled into Kandji and upgrade to macOS Big Sur and later:
The profiles installed by the Kandji Agent will not be removed until you disable the Parameter as part of migrating to the new Library Item equivalent. However, remediations will fail on macOS Big Sur, and later if the profile is removed as the Kandji Agent will not be able to reinstall the profile via the Parameter.
For devices running Big Sur and later that are enrolled into Kandji:
The Kandji Agent will report these Parameters that install configuration profiles as Incompatible and will not install the configuration profile.
| Parameter | Library Item Replacement | Library Item Option |
| Enable FileVault 2 | FileVault | FileVault enforcement |
| Escrow FileVault Recovery Keys to Kandji | FileVault | Escrow recovery keys to Kandji |
| Manage Screen Saver | Screen Saver | Configure Screen Saver for Login Window, Configure Screen Saver for users |
| Restrict App Store app installs and software updates to admin users | Software Update | Restrict software updates to admins |
| Disable Beta Updates | Software Update | Disallow install of macOS beta releases |
| Automatically check for updates | Software Update | Check for updates |
| Automatically download and install security updates | Software Update | Install system data files and security updates |
| Download macOS and App Store app updates in the background | Software Update | Download new updates when available |
| Automatically install macOS updates | Software Update | Install available macOS updates automatically |
| Automatically install App Store updates | Software Update | Install App Store app updates |
| Delay software update availability | Software Update | Defer Software Updates |
| Disable software update notifications | App Store | Disable software update notifications |
| Restrict App Store to software updates only | App Store | Block Mac App Store |
| Manage media access | Media Access | Manage Media Access |
| Disconnect all media at logout | Media Access | Disconnect all media at logout |
| Manage disc burning | Media Access | Manage disc burning |
| Display login window as name and password | Login Window | Manage user visibility |
| Disable and remove password hints | Login Window | Manage password hints |
| Disable fast user switching menu | Login Window | Disable the fast user switching menu |
| Disable automatic logins | Login Window | Disable automatic login |
| Enforce a custom message for the lock screen | Login Window | Set Lock Message |
| Log out inactive users | Login Window | Automatically log out inactive users |
| Manage Gatekeeper | Gatekeeper | Allow apps downloaded from |
| Disallow users from overriding Gatekeeper settings | Gatekeeper | Disallow users from overriding Gatekeeper Settings |
| Ensure Firewall is configured to log | Firewall | Ensure Firewall is configured to log |
| Enable Firewall | Firewall | Firewall Status |
| Enable stealth mode | Firewall | Stealth Mode |
| Block all incoming connections | Firewall | Block All Incoming Connections |
| Block built-in apps from receiving incoming connections | Firewall | The "Automatically allow signed downloaded software" and "Automatically allow built-in software" options aren't supported, but both are forced ON when this payload is present. |
| Block downloaded apps from receiving incoming connections | Firewall | The "Automatically allow signed downloaded software" and "Automatically allow built-in software" options aren't supported, but both are forced ON when this payload is present. |
| Enable detailed firewall logging | Firewall | Ensure detailed firewall logging |
| Disable waking for network access | Energy Saver | Wake for network access |
| Disable sleeping when connected to power | Energy Saver | Disable sleep |
| Disallow unlock with Apple Watch | Restrictions | Disallow using Apple Watch for device unlock |
| Disallow unlock with Touch ID | Restrictions | Disallow using Face ID / Touch ID for device unlock |
| Disallow sending diagnostic and usage data to Apple | Restrictions | Disallow sending diagnostics and usage data to Apple |
| Disable Content Caching | Restrictions | Disallow use of Content Caching service |
| Disallow AirDrop | Restrictions | Disallow AirDrop |
| Disallow password sharing via AirDrop Passwords | Restrictions | Disallow Password Sharing |
| Disable Camera | Restrictions | Disallow use of camera |
| Disable Safari AutoFill | Restrictions | Disallow Safari AutoFill |
| Disallow Safari Password AutoFill | Restrictions | Disallow AutoFill Passwords |
| Disallow Game Center | Restrictions | Disallow use of Game Center |
| Disallow iCloud Desktop & Documents Sync | Restrictions | Disallow iCloud Desktop & Documents |
| Disallow iCloud Drive | Restrictions | Disallow iCloud Drive |
| Disallow iCloud Photos | Restrictions | Disallow iCloud Photo Library |
| Disallow iCloud Mail | Restrictions | Disallow iCloud Mail |
| Disallow iCloud Contacts | Restrictions | Disallow iCloud Address Book |
| Disallow iCloud Calendar | Restrictions | Disallow iCloud Calendar |
| Disallow iCloud Reminders | Restrictions | Disallow iCloud Reminders |
| Disallow iCloud Bookmarks | Restrictions | Disallow iCloud Bookmarks |
| Disallow iCloud Notes | Restrictions | Disallow iCloud Notes |
| Disallow iCloud Keychain Sync | Restrictions | Disallow iCloud Keychain |
| Disallow password proximity requests | Restrictions | Disallow proximity based password sharing requests |
| Lock screen after Screen Saver or sleep begins | Passcode | Require Passcode After Sleep or Screen Saver Begins |
| Disallow simple passwords | Passcode | Disallow Simple Passcode |
| Maximum failed login attempts | Passcode | Maximum Failed Attempts Before Account Lockout |
| Account lockout duration | Passcode | Account Lockout Duration |
| Minimum number of complex characters | Passcode | Minimum Complex Characters |
| Minimum password length | Passcode | Minimum Passcode Length |
| Require alphanumeric password | Passcode | Require Alphanumeric Passcode |
| Maximum allowed password age | Passcode | Maximum Passcode Age |
| Password history | Passcode | Passcode History |
| Force user to reset password at next authentication | Passcode | Force Password Reset |
Special consideration for migrating to the FileVault Library Item
When migrating to the new FileVault Library Item, special consideration needs to be made, as macOS can only have one FileVault Escrow profile installed at a time.
- You will need to first disable both FileVault Parameters and wait roughly 15-30 minutes for the majority of your devices to check in and for the Kandji Agent to uninstall the manually installed configuration profiles.
- After this, you will assign your new FileVault Library Item to the Blueprint being migrated. No end user interaction/disturbance will occur as long as a FileVault key was previously escrowed.
- Disabling the legacy FileVault Parameter(s) will NOT delete any currently escrowed FileVault Recovery Keys.
In the event that a device is not online for the Kandji Agent to uninstall the manually installed FileVault profiles prior to deploying the new Library Item, you may see the new Library Item initially fail to install due to macOS only allowing one of these profile types at a time. This error will self-correct at the next daily MDM check-in if the Kandji Agent has since removed the manually installed profile.
To initiate this remediation process manually, you can run the following commands locally.
This command will force a check-in and will remove the FileVault profile (if the Parameter has been disabled).
sudo kandji run
This command will force daily MDM check-in commands to run, triggering an install of the new FileVault Library Item.
sudo kandji update-mdm