What is Prism?
Prism is Kandji’s tool for viewing a large array of data about the devices in your fleet. Prism provides a centralized interface and a set of APIs to query this data in aggregate without inspecting individual devices.
With Prism, this data is automatically collected for you regularly and can be accessed anytime. Additionally, by leveraging data exports or the API, you can bring data into external tools and services from a simple spreadsheet to a data warehouse.
Prism currently exposes the following categories of data. Note that attribute locations and category names are subject to change during the Preview phase.
- Devices: General information about your enrolled devices–this section will eventually replace the main devices page within Kandji.
- Activation Lock: Activation lock details and status across iOS, iPadOS, and macOS devices.
- Application Firewall: Information about the status of the built-in macOS application firewall. This category does not include firewall exceptions. These will be available at a later time in their own category.
- Apps: Application inventory across your macOS and iOS device fleet.
- Desktop & Screensaver: Desktop and screensaver configuration for macOS devices.
- FileVault: FileVault status on macOS devices.
- Gatekeeper & XProtect: Gatekeeper and XProtect version and status information on macOS clients. Gatekeeper exceptions will be coming as a separate category.
- Installed Profiles: All installed profiles across all device types, including profiles not installed by Kandji.
- Kernel Extensions: All installed kernel extensions and their status for macOS devices.
- Launch Agents & Daemons: All launch daemons and launch agents and their status for macOS devices.
- Local Users: All local users for macOS devices.
- Startup Settings: Information such as System Integrity Protection (SIP) status, Sealed System Volume (SSV) status, and other core security settings for macOS.
- System Extensions: All installed system extensions and their status for macOS devices.
- Transparency Database: All Transparency, Consent, and Control/Privacy Preferences Policy Control (TCC/PPPC) exceptions for macOS devices.
Learn how to interact with Prism, query data, manage table views, and more.
The Prism tab
This is the new tabbed navigation layout to switch between the Devices and Prism pages of the Devices section in Kandji. Clicking Prism will open the Prism tab.
The Edit view button allows you to filter the available categories and the results within all categories based on Blueprint or device family. For example, you may want to show only iOS devices within the All Employees Blueprint.
This global filter affects all categories. Some categories may become grayed out if they are not applicable to the filtered platform. For example, FileVault becomes grayed out if you select the global filter for iOS devices.
This button hides or unhides the prism category sidebar, allowing you to have a larger display area for the table. Additionally, you can hide the main Kandji sidebar to get an even larger display area.
When clicked, the column selector will open the column selection dialog. This modal dialog allows you to select what specific attributes you want visible in the table for the current category.
Within the column editor shown below, you can perform the following:
Search for a specific attribute if you have a specific attribute in mind.
Close the modal without saving changes, can also be done via cancel.
Reset the category view to the Kandji default.
Add an individual attribute to the table.
Remove an attribute from the displayed table.
Apply and save the changes.
Additionally, you can drag and drop attributes to reorder the view.
The CSV export button allows you to export the entire contents of the category you are viewing, you can choose whether to include the currently displayed columns or all attributes of the category.
The Add Filter button, allows you to filter the results of the table based on the value of any attribute within the category. For example, within the FileVault category, you may want to create a filter that shows you where FileVault is ON but Kandji does not yet have the FileVault Recovery Key escrowed. This will show your devices where the user is ignoring the regeneration request in the Kandji menu bar app.
The pagination controls will allow you to page through a category.
It's important to understand the possible values for individual attributes within Prism.
A single attribute may
Have a value
Boolean (true/false, yes/no, on/off), strings, numeric values, etc.
May have an empty value (for attributes that return an empty value)
For example, a launch daemon that doesn’t have any program arguments
May be null, especially if not applicable to the device platform
For example, application signature on iOS devices, because Apple does not expose application signing information over the MDM protocol
Cross-Category Shared Attributes
You will notice that some attributes are present in each Prism category.
The name of the enrolled device–links to the device record
The assigned user of the device record–links to the user record
The assigned Blueprint for the device–links to the Blueprint record
The last timestamp at which the data was collected
The last timestamp at which the data was collected and the values mutated from their previous state. For example, FileVault status was collected and has toggled to On.
Collection frequency depends on the category and method in which we collect the data.
All device families
iOS, iPadOS, macOS
15 Minutes / 24 Hours
24 hours for iOS/iPadOS/tvOS, near-instant for macOS.
All device families
Desktop & Screensaver
Gatekeeper & XProtect
All device families
Launch Agents & Daemons
Prism was designed with an ‘API-first’ approach. Everything you can do via the web application is achievable from day one through the Kandji API.
With the Prism API, you can programmatically:
Query any individual category with any subset of filters
Request a CSV export of any category and retrieve the result set asynchronously
You can find the permissions for Prism API access in the API permissions UI in the Kandji Web App under Settings > Access. These permissions are not turned on by default for existing API tokens.