Team Member Role Permissions

By Emalee Firestein

Learn about the differences between Kandji Team Members

New Team Members may be invited only via the Company's Kandji Account inside the Settings tab. Account owner - a variation of Admin role that cannot be modified/removed by other Admins, is created upon new tenant sign-up or may be transferred from another Admin. You can also see our Modify or Remove Team Members page for more information. 

Access Levels

Account Owner

Full access to all functionality. Other team members cannot delete the Account Owner.

When creating your Kandji account, the first team member will be given 24 hours to activate their account via email. If 24 hours pass before the account is created, attempting to reset the password will send a new email link.

Administrator

Full access to all functionality. Accounts with this role can be deleted by other administrators.

Additional administrators will have 24 hours to activate their Kandji account via email. If 24 hours pass before the account is created, an existing admin must re-send the invitation.

Standard

Same permissions as Administrator accounts without access to Settings.

Help Desk

No access to Settings and has read-only access to Blueprints and Library Items. Helpdesk users can perform all device actions, including deleting a device.

Auditor

Limited read-only access to the Kandji Web App.

Permissions Overview

CategoryPermissionOwnerAdminStandardHelp DeskAuditor
ConfigurationManage BlueprintsRead OnlyRead Only
Manage Parameters
Manage Library Items
Manage Enrollment Portal
Device ManagementEnroll DevicesRead Only
Manage Devices
Manage User Assignments
Device Tags
Basic Device ActionsSend Blank Push
Set Device Name
Renew MDM Profile
Reinstall Agent
Unlock User Account
Sensitive Device ActionsLock Device
Erase Device
Restart Device
Shutdown Device
Set Auto Admin Password
Delete User Account
Access Device Secrets
Delete device record
Settings & IntegrationsCompany Settings
User Management
Integrations
Apple Integrations
Self Service Settings
API Token
OwnershipAccount Permanence
Transfer Account Ownership


Web App Authorization & Session Duration

For security purposes, Team Members will be required to authenticate their active session in the Kandji Web App regularly, regardless of their assigned role.  

  • Team Members will be required to log in every 24 hours.
  • After 60 minutes of inactivity, Team Members will be logged out automatically.