Getting Started with Kandji - Setup

By Corey Willis

Use this guide to start setting up Kandji

Note: Microsoft Entra ID is the new name for Azure AD (Azure Active Directory)

What is covered in this guide:

Configure Apple Push Notification service (APNs)

Mobile device management (MDM) is a framework that allows devices to be secured and controlled, and to have policies enforced, remotely. MDM relies on APNs to communicate with Apple devices. You must create a new APNs certificate before enrolling any devices.

Note: The Add Devices page will not be accessible until Apple Push Notification service is configured. For best results, use a macOS computer.
  1. In the left-hand navigation bar, click Settings.
  2. Select the Apple Integrations tab.
  3. Under Apple Push Notifications service (APNs), click Configure APNs.

  4. Follow the on-screen instructions to create a new APNs certificate.
Do not attempt to use an existing APNs certificate. Use an Apple ID linked to your business email address. If you have an Apple Business Manager account or Apple School Manager account, we recommend creating a new Managed Apple ID in ABM or ASM named APNS@YourDomain.com. Refer to these articles to learn how to set up Managed Apple IDs for Apple Business Manager and Apple School Manager. APNs certificates automatically expire annually, so you will need to renew your Kandji APNs certificate each year. Kandji will alert you when the certificate should be renewed.

Configure Automated Device Enrollment

Automated Device Enrollment allows devices to enroll automatically into Kandji when they are first powered on and set up. Once enrolled, devices will receive settings and apps configured within Kandji.

To use Automated Device Enrollment, you must be enrolled in Apple Business Manager. There is no cost to enroll, but it may take several days to complete the process if you have not done so already.

If you already have Apple Business Manager set up and are migrating from a previous MDM, add Kandji as a new MDM server in Apple Business Manager and reassign devices to Kandji. Users with existing devices will not notice this change—it is only apparent when configuring a new device.

After you assign devices to Kandji in Apple Business Manager, they will appear in the Kandji web app in the Devices module under Automated Device Enrollment and the device name listed as Awaiting Enrollment. This does not mean devices are enrolled in Kandji; enrollment occurs during the new-device setup process.

Steps to configure Automated Device Enrollment 

  1. In the left-hand navigation bar, click Settings.
  2. Select the Apple Integrations tab.
  3. Under Automated Device Enrollment, click Configure.
    AG2MWMo_O0LsUny7aqQGQaGvIb1z6YXlVQ

  4. Follow the on-screen instructions to set up Automated Device Enrollment.

Configure Apps and Books

Apps and Books allows you to get free and paid apps from Apple's App Store and distribute them to devices using Kandji. This is different from Auto Apps or Custom Apps in Kandji. 

To use Apps and Books, you will need to be enrolled in Apple Business Manager. To configure Apps and Books:

  1. Navigate to Settings in the left-hand navigation bar.
  2. Select the Apple Integrations tab.
  3. Under Apps and Books, click Configure.
    nXkPyBSVg113io09mEvrB1zianyH9scNmw

  4. Follow the on-screen instructions to set up Apps and Books. For detailed instructions, see this article.
  5. Click Complete Apps and Books setup.
    -qpIu51d5NHerT9AK_vMFQLFclvxuiWIew

Configure User Directory Integration

Connect your organization's Microsoft Entra ID, Google Workspace, or configure a SCIM integration with a service such as Okta to sync users and identify which device belongs to which user. Kandji makes it simple to assign users to devices. It is not required but helps for inventory purposes. Users will appear in Kandji under Users. For additional information, see this article.

1A5EZPNME6WBQToOh2jjlhw9RNytH7SA9Q

Add Additional Administrators

Having more than one administrator helps in the event you are locked out of your account. To add additional administrators:

  1. Click Settings in the left-hand navigation bar.
  2. Select the Access tab.
  3. Click New User on the top right.
  4. Fill in the required fields and choose an appropriate access level for the new team member.
    OJFNaZIC0iEgwPoPVYgHp82DYRa-uZ56aA

Invitations expire after 24 hours. If 24 hours pass before the account is created, an existing administrator or account owner must resend the invitation from the Access tab under Settings.

Add and Configure Library Items

The Library section allows you to add and configure additional items such as profiles, scripts, App Store apps, Auto Apps, and custom apps that will be deployed to your devices. To add an item to your library:

  1. Navigate to Library in the left-hand navigation bar.
  2. Click Add New from the top right of the screen.
    QiUp_1UzGxVSVOzhuwLIFGzUe2GXFzQjXg

  3. Find the library item that you wish to add
  4. Click Add & configure.
    9xce3q6vL2ZILWJfDfhvkNXlfWNKOlfi9w

Add as many library items as you’d like. You can also sync in App Store apps through your Apple Business Manager account once your Apps & Books integration is complete. At a minimum, we recommend adding the apps you know your devices will need at the initial setup. You can always add more Library items down the road and deploy them to your devices after setup.

Adding custom Library items allows you to configure complex tasks your organization may require. For example, in this article, we show you how to create a System Extension Profile.

While library items are available for use in any Blueprint, some are compatible only with specific platforms. For instance, you can deploy a System Extension Profile only to a macOS device, not to an iOS device.

Next steps

Now that you have configured your Kandji account setup, it is time to define your device management strategy.

Next: Getting Started with Kandji: Define