Microsoft Device Compliance: Library Item Configuration

  • Katelyn Husvar
  • EF

Microsoft Company Portal (macOS)

  1. Navigate to Library in the left-hand navigation bar.

  2. Click Add New on the top-right, and choose Company Portal.

  3. Click Add & Configure.

  4. Optionally, assign a Label.

  5. Assign to your desired Assignment Maps or Classic Blueprints. If this is the first time deploying MSDC, it is a good idea to deploy to a test blueprint scoped to a limited number of macOS devices so that you can see how it functions when deployed.  

  6. For the Installation type, choose Install and continuously enforce.

  7. Select an option from the Version Enforcement dropdown. Your options include the following:

    • Do not manage updates

    • Automatically enforce new updates

    • Manually enforce a minimum version

  8. Click Save

For additional information on settings and options for Auto Apps, please refer to our Auto Apps Overview support article.

Microsoft Authenticator & Kandji Self Service (iOS & iPadOS)

In order to configure MSDC for iOS and iPadOS, you must first Configure Apps and Books, and add the Microsoft Authenticator and Kandji Self Service App Store Apps to your Kandji library. For instructions on adding apps from Apps and Books to Kandji, follow this guide.

  1. Navigate to Library in the left-hand navigation bar.

  2. Under App Store Apps, select Microsoft Authenticator.

  3. Assign to your desired Assignment Maps or Classic Blueprints. If this is the first time deploying MSDC, it is a good idea to deploy to a test blueprint scoped to a limited number of macOS devices so that you can see how it functions when deployed.

  4. Under Installation Type, choose Install and continuously enforce. If Microsoft Authenticator is installed on some devices, this process will not reinstall the app; instead, Kandji will take over its management.

  5. In the Microsoft Device Compliance section, toggle the switch On.

  6. Click Save.

  7. Repeat steps 1-3 for Kandji Self Service, ensuring that both apps are applied to the same Blueprints.

User Registration

macOS

Once the Microsoft Company portal is installed on the Mac, the Kandji agent will attempt to launch the app automatically, following a specific process required by Microsoft so that end users can begin the registration process. For more information about what users should expect, see our Microsoft Device Compliance: User Registration Experience support article.

iOS & iPadOS

Once the Microsoft Authenticator app is installed on a mobile device, users will find an option in the Kandji Self Service app labeled 'Microsoft Device Compliance Device.' This is where they can start the registration process.

How to Reset Microsoft Device Registration

You can use the Reset Microsoft Registration action on macOS, iOS, and iPadOS to reset the registration. This command does not require any supervision.

Pre requisites that should be in place before the action will appear in the action menu

  • The MS Device Compliance integration should be setup both in Kandji and in MS Intune portal.

  • On macOS, the MS Company Portal app Library Item is scoped to the device and installed.

  • On iOS and iPadOS, the MS Authenticator App Store app Library Item is scoped to the device and the MS Device Compliance setting is toggled on and installed.

Existing Kandji device record (record not removed) and same user is re-registering the device

  1. Navigate to the Device record.

  2. Open the Device Action Menu.

  3. Select Reset Microsoft Registration.

  4. Click Reset Device Registration.

  5. Kandji sends an update to Microsoft Entra ID that the devices is no longer managed and is not compliant.

  6. Kandji resets the MSDC registration status for the device record in Kandji.

  7. The end-user can now re-register the device.

    1. On macOS, the Kandji Agent sees that the device is no longer registered and prompts the user to register their device again.

      1. This will happen at agent check in or if a manual check in is performed on the Mac.

    2. On iOS and iPadOS, the user can follow the registration process as if registering the device for the first time.

  8. Kandji updates the device record in Microsoft Entra ID letting Entra know that the device is now managed by Kandji again and compliant.

Possible error messages and their descriptions

Below are possible error messages that you could see in Kandji when sending the action to reset Microsoft registration.

Message

Description

“No active Microsoft device registration found.”

This means that the device has a record in Kandji, and there is a Microsoft device registration for the device in Kandji but is is not active. This is generally due to the device no longer being enrolled in Kandji either because the MDM profile was removed locally on the device or the erased device action was sent from Kandji.

To remediate, the device needs to be reenrolled to Kandji and the MSDC registration needs to be completed again locally on the device.

“Device is not registered”

This means that the device has all of the prerequisites in place but has not yet registered with Microsoft through the Kandji MSDC integration.

If the device was registered with Microsoft previously through another MDM solution, the end-user will need to complete the registration process again through the Kandji integration.

See MSDC registration for more details.

“Reset Registration failed”

Default error message if none of the above.

Compliance Status

After a user has registered their device, see our Microsoft Device Compliance: Validating Compliance support article to verify the compliance status.