Kandji updates
Kandji updates

New API endpoints, improved token control

The Kandji API has been updated.

First, we are releasing 25 new endpoints to it (bringing the total to 29), enabling you to do things like programmatically update, lock, or shut down a device or delete a user.

API endpoints1.png

Second, you now have more control over API tokens. You can configure, manage, and edit permissions, either when you create an API token or later. API access and changes to API tokens are now recorded to the API activity tab.

API activity3.png

The Kandji API is included at no additional cost for customers in the 500-device tier and above; it’s available as an add-on for customers in lower tiers.

Enrollment customization

Kandji has added support for enrollment customization. This new option in the Automated Device Enrollment Configuration Library item allows you to require users to authenticate with a Single Sign-On connection during automated device enrollment on a Mac, iPhone, or iPad.

ADE configuration3_edit.png

Once a user authenticates, they can be automatically matched from your user directory and assigned to the device. 

Note that you will need to have SSO enabled on your Kandji account in order to implement enrollment customization.

New global variables

Global variables allow you to automatically insert details about users and devices in text fields within Kandji library items. We’ve now added two new ones: $FULL_NAME (which inserts the full name of the assigned user for a device) and $EMAIL_PREFIX (which inserts the email prefix—everything before the @ symbol—for that user).

global variables4_crop_shadow.png

Additionally, global variables can now be used in the Full Name and Short Name fields when creating local administrator accounts, to automatically set up those accounts with default passwords.

Updated script editor

The Kandji script editor now offers better formatting options for your scripts, including syntax highlighting and indenting. 

script editor formatting.png

The updated editor will make things like customizing app installs easier and more efficient. 

Blueprint templates updated

Kandji has updated our Blueprint templates for Kandji Level 1-4 as well as CIS Level 1 and 2 to support our transition from Parameters to Library items.

All deprecated Parameters have been removed from the Blueprint templates and have been replaced with their modern Library item equivalents to support macOS Big Sur.

Learn more about our Parameter transitions in our Parameter transition knowledge base article.

Please note that this won't update any existing Blueprints generated from these templates previously.

Multifactor authentication for admins

Today’s release enables multifactor authentication (MFA) for administrators.

With MFA in place, when admins log in to Kandji with an email/password combination, they must then verify their identity with a one-time code. MFA doesn’t apply to users who authenticate via Google, Office 365, or a Single Sign-On connection.


Initializing MFA is simple: You log into your Kandji account as usual, then scan a QR code with a compatible one-time password (OTP) application such as Google Authenticator, Microsoft Authenticator, OneLogin Protect, or Google Authenticator. You then complete setup in your OTP app.

New Auto Apps: Fellow, RingCentral

App card.png

App card.png

Agent update: certificate pinning

Kandji Agent Version - 2.7.3 (1252)

The Kandji Agent has been updated to introduce SSL/TLS certificate pinning.

If you’re not using a proxy or inline content filtering product, it’s likely this change won’t affect your organization.

You can find additional details and instructions in our Using Kandji on Enterprise Networks knowledge base article.

We also added a few Self Service enhancements:

  • Finder display name is now "Self Service", previously the display name was "Kandji"
  • Allows users to remove Applications offered in Self Service from their dock, in addition to adding them
  • Other minor UI enhancements

SSO for Kandji admins

Today’s release of SSO unlocks the ability to enforce specific auth workflows for Kandji admins logging into the Kandji web app, simplifying password management and enforcing secure access for admins managing your devices with Kandji.

SSO access to Kandji.png

This release supports three primary frameworks:

  • Google Workspace
  • Office 365 / Azure Active Directory
  • SAML: A common framework in identity management that allows you to set up custom connections with other providers

Once an SSO connection is configured and established, you can choose to enforce authentication through your SSO provider by hiding the existing social login buttons and the email/password option, giving the admin only a single, secure method for signing in (this is optional, not required).

We took a unique approach to our implementation of SAML by enabling an unlimited number of SAML connections. We’ve heard from customers that this will enable you to support partners, managed service providers, or more complex environments without having to limit sign-in options.

kandji sso for admins.png

We also support advanced SAML functions such as Single Logout (SLO), a more robust security measure which will log users out of their IdP if they log out of Kandji. We also support encrypted SAML assertions and IdP or SP initiated authentication flows.

Future versions will support pre-built connections with other providers such as Okta, OneLogin, and more. This release of SSO is also laying the groundwork to support Enrollment Customization.

Note: SSO is available upon request only, so please reach out to us if you’re interested. It will be included at no additional cost for customers in the 500 device tier and above. It will be available as an add-on for customers in lower tiers at $150/month, billed annually. See our pricing page for details.

For more information, read our SSO knowledge base article.

Delete or reassign Self Service categories

We have added the ability to delete categories within the UI, and a prompt to reassign its associated apps and tools to a new category.

kandji self service delete category.png