Parameter Transition

By Jordan Moore

Understand which Parameters are being transitioned and what action is required by Kandji administrators. 

Transition Overview

Parameters within Kandji are being strategically transitioned towards Library Items to reflect a more modern and scaleable UI language, as well as to allow better flexibility within shared configurations among Blueprints within an instance. This transition is also driven by new enforcement mechanisms like full MDM control versus agent-driven mechanisms.

Timelines 

In October of 2020, due to changes within macOS Big Sur, we transitioned 63 Parameters to Library Items; those Parameters can be found in the October 2020 - Transitioned Parameters section below. 

In addition to the October 2020 - Transitioned Parameters, 21 additional Parameters will be transitioned. These additional parameters can be found in the March 2022 - Transitioned Parameters section below. 


As of March 23, 2022, the Kandji Agent will stop enforcing all 84 of these transitioned Parameters on enrolled Mac computers; and on April 6, 2022, we will remove the transitioned Parameters from Kandji entirely.

Please note that although the Parameters will be removed from the Blueprint and device status areas, the Parameter history will remain in the activity areas.

Action required

If you are currently using any of the Parameters listed below and want to enforce these controls on macOS Big Sur and later versions of macOS, you will need to migrate to the new Library Item or alternative control equivalent of the Parameter. 

Even if you have not transitioned your environment to Big Sur and later, we recommend migrating as soon as possible, as the Library Items will work for macOS Monterey, macOS Big Sur, and previous versions of macOS. You are not required to enable both the Parameter and Library Item to support multiple macOS versions in a single Blueprint.

How to migrate

In most cases, there is a direct Library Item equivalent to transitioned Parameters. Migrating to Library Item Parameter equivalents is straightforward, as macOS can usually have multiple of the same configuration profile installed at a time (although there are exceptions).

To migrate, add the new Library Item to your Library and match the settings you have configured with Parameters in your Blueprints. Once you have these settings matched, assign the Library Item to the Blueprint. Once you have confirmed that the Library Item has successfully deployed to the bulk of your devices, you can disable the Parameter. 

March 2022 - Transitioned Parameters

Understand which Parameters are being transitioned and which Library Items you should leverage to replace them. Many of these new Library Items have additional new benefits, such as rotating the FileVault Key automatically.


macOS 12.3 considerations 

Mac computers that upgrade to macOS 12.3 prior to March 23, 2022, will not have any Parameters enforced by the Kandji Agent, due to compatibility issues. On March 23, 2022, all non-transitioned Parameters will begin being enforced once again.
ParameterAlternative ControlAdditional Information
Custom Compliance ScriptsCustom Scripts Library Item
Disable Java 6 from being the default Java runtimeNoneNo longer a CIS requirement on macOS 10.14 or greater. 
Manage Adobe Flash PlayerCustom ScriptFlashPlayer went EOL on 12/31/2020, we recommend a full uninstall.
Disable HandoffRestrictions Profile
Disable SiriRestrictions Profile 
Disallow Find My MacNoneNot supported on macOS 10.14 or greater.
Force Install macOS updates after specified time periodManaged OS Library ItemLearn more
Disable the Infrared Receiver if no paired devices existNone
Disable FTP ServerNoneNot supported on macOS 10.13 or greater.
Set retention for authd.log

OSLog

(Configured by SIEM client)

Deprecated for OSLog
Set retention for appfirewall.log

OSLog

(Configured by SIEM client)

Deprecated for OSLog
Set retention for system.log

OSLog

(Configured by SIEM client)

Deprecated for OSLog
Advanced Password Management BETAPasscode Library Item Please open feedback with Apple if the passcode profile does not fit your needs. 
Disable console loginNoneNot supported on macOS 10.13 or greater.
Set a Firmware Password BETACustom ScriptGitHub Resource
Restrict NTP server to loopback interfaceNoneNot supported on macOS 10.13 or greater.
Watchman Monitoring ClientCustom AppLearn more
Enable OCSP and CRL certificate checkingNoneNot supported on macOS 10.13 or greater.
Disable Bluetooth Discoverable Mode when not pairing devicesNoneNot required by CIS. We have had multiple reports of this parameter not functioning as expected. 
Manage display sleep interval
Screensaver Library ItemEnsure display sleep interval is greater than Screen Saver interval.
Manage number of allowed firewall rulesFirewall Library ItemThe CLI method leveraged to control this cannot be used on macOS 11 or greater in conjunction with the MDM payload.
Disable Internet Plug-Ins for global use in SafariNonePlugin Support is no longer supported in Safari versions 14 or greater. 

October 2020 - Transitioned Parameters

Understand which Parameters are being transitioned and which Library Items you should leverage to replace them. Many of these new Library Items have additional new benefits, such as rotating the FileVault Key automatically.

Why are these Parameters being transitioned?

With macOS Big Sur and later, Apple has introduced security improvements that require profiles to be installed by a user through System Preferences or by the MDM server the device is enrolled into. This change improves security and prevents privileged processes from installing configuration profiles silently.

For a minority of Parameters, the Kandji Agent installs configuration profiles to apply and enforce settings. In order to support the changes in macOS Big Sur and later, we have transitioned these Parameters to new Library Items where the configuration profile portions of the control are installed via MDM. 

Additionally, for some Library Items such as FileVault and Firewall, the agent logic has been improved to work alongside profiles when these Library Items are configured and continue to enforce settings beyond what configuration profiles can currently achieve. Examples include regenerating FileVault Recovery Keys for previously encrypted macOS devices, setting extended logging options for the macOS Firewall, or re-enabling the Firewall if manually disabled by a local administrator.

What to expect

Learn what to expect when devices upgrade to macOS Big Sur and later.

For your devices that are already enrolled into Kandji and upgrade to macOS Big Sur and later

The profiles installed by the Kandji Agent will not be removed until you disable the Parameter as part of migrating to the new Library Item equivalent. However, remediations will fail on macOS Big Sur, and later if the profile is removed as the Kandji Agent will not be able to reinstall the profile via the Parameter. 

For devices running Big Sur and later that are enrolled into Kandji:
The Kandji Agent will report these Parameters that install configuration profiles as Incompatible and will not install the configuration profile.

ParameterLibrary Item Replacement Library Item Option
Enable FileVault 2FileVault
FileVault enforcement
Escrow FileVault Recovery Keys to KandjiFileVault
Escrow recovery keys to Kandji
Manage Screen SaverScreen SaverConfigure Screen Saver for Login Window, Configure Screen Saver for users
Restrict App Store app installs and software updates to admin usersSoftware UpdateRestrict software updates to admins
Disable Beta UpdatesSoftware Update
Disallow install of macOS beta releases
Automatically check for updatesSoftware Update
Check for updates
Automatically download and install security updatesSoftware Update
Install system data files and security updates
Download macOS and App Store app updates in the backgroundSoftware Update
Download new updates when available
Automatically install macOS updatesSoftware Update

Install available macOS updates automatically

Automatically install App Store updatesSoftware Update
Install App Store app updates
Delay software update availabilitySoftware UpdateDefer Software Updates
Disable software update notificationsApp Store
Disable software update notifications
Restrict App Store to software updates onlyApp StoreBlock Mac App Store
Manage media accessMedia AccessManage Media Access
Disconnect all media at logoutMedia AccessDisconnect all media at logout
Manage disc burningMedia Access
Manage disc burning
Display login window as name and passwordLogin WindowManage user visibility
Disable and remove password hintsLogin WindowManage password hints
Disable fast user switching menuLogin WindowDisable the fast user switching menu
Disable automatic loginsLogin WindowDisable automatic login
Enforce a custom message for the lock screenLogin WindowSet Lock Message
Log out inactive usersLogin WindowAutomatically log out inactive users
Manage GatekeeperGatekeeper
Allow apps downloaded from
Disallow users from overriding Gatekeeper settingsGatekeeperDisallow users from overriding Gatekeeper Settings
Ensure Firewall is configured to logFirewallEnsure Firewall is configured to log
Enable FirewallFirewall
Firewall Status
Enable stealth modeFirewall
Stealth Mode
Block all incoming connectionsFirewall
Block All Incoming Connections
Block built-in apps from receiving incoming connectionsFirewallThe "Automatically allow signed downloaded software" and "Automatically allow built-in software" options aren't supported, but both are forced ON when this payload is present.
Block downloaded apps from receiving incoming connectionsFirewall

The "Automatically allow signed downloaded software" and "Automatically allow built-in software" options aren't supported, but both are forced ON when this payload is present.

Enable detailed firewall loggingFirewall
Ensure detailed firewall logging
Disable waking for network accessEnergy Saver
Wake for network access
Disable sleeping when connected to powerEnergy SaverDisable sleep
Disallow unlock with Apple WatchRestrictionsDisallow using Apple Watch for device unlock
Disallow unlock with Touch IDRestrictionsDisallow using Face ID / Touch ID for device unlock
Disallow sending diagnostic and usage data to AppleRestrictionsDisallow sending diagnostics and usage data to Apple
Disable Content CachingRestrictionsDisallow use of Content Caching service
Disallow AirDropRestrictionsDisallow AirDrop
Disallow password sharing via AirDrop PasswordsRestrictionsDisallow Password Sharing
Disable CameraRestrictionsDisallow use of camera
Disable Safari AutoFillRestrictionsDisallow Safari AutoFill
Disallow Safari Password AutoFillRestrictionsDisallow AutoFill Passwords
Disallow Game CenterRestrictionsDisallow use of Game Center
Disallow iCloud Desktop & Documents SyncRestrictionsDisallow iCloud Desktop & Documents
Disallow iCloud DriveRestrictionsDisallow iCloud Drive
Disallow iCloud PhotosRestrictionsDisallow iCloud Photo Library
Disallow iCloud MailRestrictionsDisallow iCloud Mail
Disallow iCloud ContactsRestrictionsDisallow iCloud Address Book
Disallow iCloud CalendarRestrictionsDisallow iCloud Calendar
Disallow iCloud RemindersRestrictionsDisallow iCloud Reminders
Disallow iCloud BookmarksRestrictionsDisallow iCloud Bookmarks
Disallow iCloud NotesRestrictionsDisallow iCloud Notes
Disallow iCloud Keychain SyncRestrictionsDisallow iCloud Keychain
Disallow password proximity requestsRestrictionsDisallow proximity based password sharing requests
Lock screen after Screen Saver or sleep beginsPasscodeRequire Passcode After Sleep or Screen Saver Begins
Disallow simple passwordsPasscodeDisallow Simple Passcode
Maximum failed login attemptsPasscodeMaximum Failed Attempts Before Account Lockout
Account lockout durationPasscodeAccount Lockout Duration
Minimum number of complex charactersPasscodeMinimum Complex Characters
Minimum password lengthPasscodeMinimum Passcode Length
Require alphanumeric passwordPasscodeRequire Alphanumeric Passcode
Maximum allowed password agePasscodeMaximum Passcode Age
Password historyPasscodePasscode History
Force user to reset password at next authenticationPasscodeForce Password Reset

Special consideration for migrating to the FileVault Library Item

When migrating to the new FileVault Library Item, special consideration needs to be made, as macOS can only have one FileVault Escrow profile installed at a time. 

  1. You will need to first disable both FileVault Parameters and wait roughly 15-30 minutes for the majority of your devices to check in and for the Kandji Agent to uninstall the manually installed configuration profiles. 
  2. After this, you will assign your new FileVault Library Item to the Blueprint being migrated. No end-user interaction/disturbance will occur as long as a FileVault key was previously escrowed. 
  3. Disabling the legacy FileVault Parameter(s) will NOT delete any currently escrowed FileVault Recovery Keys.

In the event that a device is not online for the Kandji Agent to uninstall the manually installed FileVault profiles prior to deploying the new Library Item, you may see the new Library Item initially fail to install due to macOS only allowing one of these profile types at a time. This error will self-correct at the next daily MDM check-in if the Kandji Agent has since removed the manually installed profile.

To initiate this remediation process manually, you can run the following commands locally. 

This command will force a check-in and will remove the FileVault profile (if the Parameter has been disabled).

sudo kandji run 

This command will force daily MDM check-in commands to run, triggering an install of the new FileVault Library Item. 

sudo kandji update-mdm