Kandji updates kandji.io

The Kandji API has been updated.

First, we are releasing 25 new endpoints to it (bringing the total to 29), enabling you to do things like programmatically update, lock, or shut down a device or delete a user.

Second, you now have more control over API tokens. You can configure, manage, and edit permissions, either when you create an API token or later. API access and changes to API tokens are now recorded to the API activity tab.

The Kandji API is included at no additional cost for customers in the 500-device tier and above; it’s available as an add-on for customers in lower tiers.

Kandji has added support for enrollment customization. This new option in the Automated Device Enrollment Configuration Library item allows you to require users to authenticate with a Single Sign-On connection during automated device enrollment on a Mac, iPhone, or iPad.

Once a user authenticates, they can be automatically matched from your user directory and assigned to the device. 

Note that you will need to have SSO enabled on your Kandji account in order to implement enrollment customization.

Global variables allow you to automatically insert details about users and devices in text fields within Kandji library items. We’ve now added two new ones: $FULL_NAME (which inserts the full name of the assigned user for a device) and $EMAIL_PREFIX (which inserts the email prefix—everything before the @ symbol—for that user).

Additionally, global variables can now be used in the Full Name and Short Name fields when creating local administrator accounts, to automatically set up those accounts with default passwords.

The Kandji script editor now offers better formatting options for your scripts, including syntax highlighting and indenting. 

The updated editor will make things like customizing app installs easier and more efficient. 

Kandji has updated our Blueprint templates for Kandji Level 1-4 as well as CIS Level 1 and 2 to support our transition from Parameters to Library items.

All deprecated Parameters have been removed from the Blueprint templates and have been replaced with their modern Library item equivalents to support macOS Big Sur.

Learn more about our Parameter transitions in our Parameter transition knowledge base article.

Please note that this won't update any existing Blueprints generated from these templates previously.

Today’s release enables multifactor authentication (MFA) for administrators.

With MFA in place, when admins log in to Kandji with an email/password combination, they must then verify their identity with a one-time code. MFA doesn’t apply to users who authenticate via Google, Office 365, or a Single Sign-On connection.

Initializing MFA is simple: You log into your Kandji account as usual, then scan a QR code with a compatible one-time password (OTP) application such as Google Authenticator, Microsoft Authenticator, OneLogin Protect, or Google Authenticator. You then complete setup in your OTP app.

Kandji Agent Version - 2.7.3 (1252)

The Kandji Agent has been updated to introduce SSL/TLS certificate pinning.

If you’re not using a proxy or inline content filtering product, it’s likely this change won’t affect your organization.

You can find additional details and instructions in our Using Kandji on Enterprise Networks knowledge base article.

We also added a few Self Service enhancements:

• Finder display name is now "Self Service", previously the display name was "Kandji"
• Allows users to remove Applications offered in Self Service from their dock, in addition to adding them
• Other minor UI enhancements

Today’s release of SSO unlocks the ability to enforce specific auth workflows for Kandji admins logging into the Kandji web app, simplifying password management and enforcing secure access for admins managing your devices with Kandji.

This release supports three primary frameworks:

• Google Workspace
• Office 365 / Azure Active Directory
• SAML: A common framework in identity management that allows you to set up custom connections with other providers

Once an SSO connection is configured and established, you can choose to enforce authentication through your SSO provider by hiding the existing social login buttons and the email/password option, giving the admin only a single, secure method for signing in (this is optional, not required).

We took a unique approach to our implementation of SAML by enabling an unlimited number of SAML connections. We’ve heard from customers that this will enable you to support partners, managed service providers, or more complex environments without having to limit sign-in options.

We also support advanced SAML functions such as Single Logout (SLO), a more robust security measure which will log users out of their IdP if they log out of Kandji. We also support encrypted SAML assertions and IdP or SP initiated authentication flows.

Future versions will support pre-built connections with other providers such as Okta, OneLogin, and more. This release of SSO is also laying the groundwork to support Enrollment Customization.

Note: SSO is available upon request only, so please reach out to us if you’re interested. It will be included at no additional cost for customers in the 500 device tier and above. It will be available as an add-on for customers in lower tiers at $150/month, billed annually. See our pricing page for details.

For more information, read our SSO knowledge base article.

We have added the ability to delete categories within the UI, and a prompt to reassign its associated apps and tools to a new category.