New Team Members may be invited only via the Company's Kandji Account inside the Settings tab. Account owner - a variation of Admin role that cannot be modified/removed by other Admins, is created upon new tenant sign-up or may be transferred from another Admin. You can also see our Modify or Remove Team Members page for more information.
Access Levels
Account Owner
Full access to all functionality. Other team members cannot delete the Account Owner.
When creating your Kandji account, the first team member will be given 24 hours to activate their account via email. If 24 hours pass before the account is created, attempting to reset the password will send a new email link.
Administrator
Full access to all functionality. Accounts with this role can be deleted by other administrators.
Additional administrators will have 24 hours to activate their Kandji account via email. If 24 hours pass before the account is created, an existing admin must re-send the invitation.
Standard
Same permissions as Administrator accounts without access to Settings.
Help Desk
No access to Settings and has read-only access to Blueprints and Library Items. Helpdesk users can perform all device actions, including deleting a device.
Auditor
Limited read-only access to the Kandji Web App.
Secrets Auditor
Limited read-only access to the Kandji Web App plus the ability to read:
macOS FileVault recovery keys
Activation lock bypass codes
Recovery lock password
Device unlock PIN
Permissions Overview
Category | Permission | Owner | Admin | Standard | Help Desk | Auditor |
|---|---|---|---|---|---|---|
Configuration | Manage Blueprints | ✅ | ✅ | ✅ | Read Only | Read Only |
Manage Parameters | ||||||
Manage Library Items | ||||||
Manage Enrollment Portal | ||||||
Device Management | Enroll Devices | ✅ | ✅ | ✅ | ✅ | Read Only |
Manage Devices | ||||||
Manage User Assignments | ||||||
Device Tags | ||||||
Basic Device Actions | Send Blank Push | ✅ | ✅ | ✅ | ✅ | ❌ |
Set Device Name | ||||||
Renew MDM Profile | ||||||
Reinstall Agent | ||||||
Unlock User Account | ||||||
Sensitive Device Actions | Lock Device | ✅ | ✅ | ✅ | ✅ | Read Only (Device Secrets) |
Erase Device | ||||||
Restart Device | ||||||
Shutdown Device | ||||||
Set Auto Admin Password | ||||||
Delete User Account | ||||||
Access Device Secrets | ||||||
Delete device record | ||||||
Settings & Integrations | Company Settings | ✅ | ✅ | ❌ | ❌ | ❌ |
User Management | ||||||
Integrations | ||||||
Apple Integrations | ||||||
Self Service Settings | ||||||
API Token | ||||||
Ownership | Account Permanence | ✅ | ❌ | ❌ | ❌ | ❌ |
Transfer Account Ownership |
Web App Authorization & Session Duration
For security purposes, Team Members will be required to authenticate their active session in the Kandji Web App regularly, regardless of their assigned role.
Team Members will be required to log in every 24 hours.
After 60 minutes of inactivity, Team Members will be logged out automatically.