Learn about what the Kandji Agent Installs on Mac computers
When a Mac is enrolled in Kandji, the Kandji Agent is installed to extend the device management capabilities beyond what Apple's Mobile Device Management (MDM) framework can achieve. The agent ensures that various configurations, security policies, and applications are enforced and maintained on the device. To support its functionality, the Kandji Agent installs a few key components, including the Kandji Agent Settings Profile and encrypted database (.dbee) files.
Kandji Agent Settings Profile
The Kandji Agent Settings Profile is an MDM configuration profile automatically installed on all enrolled Mac computers. This profile ensures seamless operation of the Kandji agent and related services such as Self Service, Liftoff, Passport, and the Kandji Extension Manager. It includes several important payloads:
- Login and Background Items Management (Service Management) - Ensures that users cannot prevent Kandji from loading at startup on macOS Ventura and later.
- Notification Settings - Allows Kandji apps to send notifications to users.
- Privacy Preferences Policy Control - Grants Kandji Full Disk Access to run custom scripts and install or update both custom and Auto Apps.
- System Extensions - Manages the Kandji ESF Extension, which is used for application blocking. This extension prevents blocked applications from launching by intercepting them at the kernel level before any code execution occurs.
These payloads ensure that the Kandji agent can perform critical tasks without user interference, such as enforcing security policies, running scripts, and managing app installations.
Encrypted Database Files (.dbee)
The Kandji Agent also installs encrypted database files on each device to store essential information locally. These files enable offline functionality and ensure that data is preserved even if network connectivity is lost. The primary database files include:
- TCData.dbee - Stores hashes of application data, quarantine data, Endpoint Detection & Response (EDR) offline rules, EDR settings, and other EDR-related events.
- Agent.dbee - Contains parameter settings and history for offline usage.
- KandjiData.dbee - Stores currently enabled features, first-time run information, Self Service deferrals, and scheduled installs.
- Library.dbee - Holds information about Library Items and their statuses for reporting during an agent run.
- RTCData.dbee - Stores Real-Time Communication (RTC) messages in case of network failure or power loss.
- VBData.dbee - Logs Prism report history.
These database files allow the Kandji Agent to function independently of network connectivity by storing critical configuration data locally.