Information about Kandji at the UofA
Introduction
This article goes over what Kandji is and how it is implemented at the University of Alberta.
Applicability
This article is for anyone at the UofA who uses an Apple computer enrolled in the Kandji system.
Details
Kandji is a Mobile Device Management (MDM) platform that is used to manage Apple computers. It has the capability to install/update applications, run scripts, enforce Operating System updates, and apply policies to a computer. An MDM solution like this is required for Apple computers because they cannot be managed through a central computer domain like PCs can. When a system is enrolled in Kandji, it checks in with the Kandji servers periodically throughout the day (when internet is available) to see if there's anything new that needs to be downloaded and/or applied.
Appearance
Once a computer is enrolled in Kandji, you will see a bee icon on the menu bar in one of two states:
- Normal:
- Attention needed:
Clicking on the icon will bring down a quick menu where you can access Kandji's Self Service application, or see any updates that need to be applied:
The Self Service application is where you can install applications that are not installed by default (e.g. Google Drive or Microsoft Outlook) or HP/Xerox printer drivers:
You can also click Device Info to see information about your computer, and to perform a manual Sync with Kandji if needed (manual syncs are useful so that you can be sure your system is up to date before something like a meeting):
More information about Self Service can be accessed at this KB article from Kandji.
Managed OS Updates
- This feature makes sure that the operating system on a computer is kept up to date.
- An enforcement period is set based on what type of update is released:
- Major macOS updates (e.g. going from macOS 14 to macOS 15) are enforced 6 months after Apple releases them.
- Minor macOS updates (e.g. going from macOS 14.1 to macOS 14.2) are enforced 2 weeks after Apple releases them.
- Rapid Security Responses (macOS 14+) are enforced 2 days after Apple releases them.
- After the deferral period (set below by the Software Update setting), a user will be able to install an update themselves.
- Kandji has written an article describing how a user will experience this.
Applications
There are a few different kinds of applications that Kandji installs:
- Applications installed or updated during a computer's initial enrollment in Kandji for which updates are enforced.
- When an update for one of these applications comes out, Kandji will install it right away as long as the application isn't open.
- If it is open, the user will be notified that an update needs to be applied and that they have 7 days to do it.
- At the end of that period, if the application has not been closed, Kandji will force the application to close and install the update.
- At any point during that period the user can choose to do the update manually by clicking the Kandji icon and clicking the update button next to the application.
- These applications are mandatory and, if not found on the system, will be reinstalled during the computer's next check-in with Kandji:
- Cisco Secure Endpoint (campus security software)
- Freshservice Discovery Agent (inventory software that links with our ticket system)
- Lansweeper Agent (campus network inventory software)
- These applications can be removed by the user but will be updated if they are installed:
- Adobe Acrobat Reader
- Google Chrome
- Microsoft Office (Excel, PowerPoint, Word) - macOS 12 and above
- Mozilla Firefox
- VLC
- Applications installed once during the initial enrollment for which updates are not enforced.
- List:
- Microsoft Office Serializer (installs the UofA site license for Office for Mac) - macOS 12 and above
- OpenJDK (also available in Self Service)
- Applications available in Self Service for which updates are enforced.
- These are not installed during the initial enrollment.
- If they are installed then they follow the same enforcement method/timeframe as the first type of application in this list.
- List:
- Citrix Workspace
- Google Drive
- Microsoft Auto Update
- Microsoft Office (OneNote, Outlook) - macOS 12 and above
- Microsoft Teams
- Thunderbird
- Zoom
- Applications available in Self Service for which updates are not enforced.
- These are not installed during the initial enrollment.
- List:
- Cisco AnyConnect (campus VPN software, this updates itself)
- HP Printer Drivers (v5.1.1 from Apple)
- HP Printer Drivers (v6.1.0.1 from HP)
- Xerox Printer Drivers - macOS 12 and above
Scripts
There are a few scripts that Kandji runs on each computer:
- Remove Munki
- This script is used for removing the Munki service from computers.
- Munki was one of the MDM solutions we had tried before going with Kandji.
- It runs only once on each computer.
- Remove Oracle Java
- This script checks daily to see if Oracle Java has been installed and removes it if found.
- The terms of Oracle's license agreement prohibit installation of their software on our computers without a license agreement in place, which we do not have.
- Install Rosetta for Apple Silicon
- This script installs the Rosetta software on Silicon based Macs (the ones where they have an Apple "M" processor).
- This allows for software written for the previous generation of Macs, those that had Intel processors, to work on these newer systems.
Settings
These are the settings that are enforced:
- Auditing Policies
- Secure access to audit records.
- Set retention for security auditing to 60 days or 1024MB.
- Computer Name and Localhost Name
- Set Computer Name to the serial number.
- Date & Time
- Ensure date and time is set automatically using time.apple.com.
- Note: We initially used the campus time server (time.srv.ualberta.ca), but we were seeing a lot more errors using it, so we switched back to Apple's time server. The offset between to the two servers is usually only microseconds.
- Ensure time is within appropriate limits.
- Energy Saver
- Desktops
- Turn off display after 30 minutes of inactivity.
- Start automatically after power failure.
- Portables on Battery
- Turn off display after 20 minutes of inactivity.
- Put hard disks to sleep when possible.
- Portables on AC Power
- Turn off display after 30 minutes of inactivity.
- File and Folder Permissions
- Check Applications folder for appropriate permissions.
- Check System folder for world writable files.
- Enable System Integrity Protection (SIP).
- Secure user home folders.
- FileVault (device encryption)
- Enabled on all computers.
- Recovery keys are escrowed to the Kandji servers.
- Report encryption status of attached APFS and CoreStorage volumes.
- Gatekeeper
- Allow apps downloaded from anywhere (disable Gatekeeper).
- IPv6
- Log Retention
- Set retention for install.log to 365 days.
- Login & Background Items
- Specifies that specific background/login applications can't be disabled:
- All Cisco applications.
- Microsoft Auto Update Helper
- Microsoft Volume License Helper
- Other apps that are automatically installed/update (e.g. Adobe Acrobat Reader DC) may have items in this list as well.
- Login Window
- Disable automatic login.
- Display password hint after 4 failed attempts.
- Show a list of users on the computer.
- Show the input menu and additional computer details in the menu bar.
- Show the message "For UofA computer help please call the Staff Service Centre @ 780-492-8000.".
- Media Access
- All media types allowed.
- Disable media auto actions (e.g. running the install file on an inserted application disk).
- Passcode
- Require alphanumeric passcode.
- Minimum Passcode Length: 8 characters
- Minimum Complex Characters: 1 character
- Passcode History: 5 previous passwords not allowed
- Require Passcode After Sleep or Screen Saver Begins: 1 minute
- Maximum Failed Attempts Before Account Lockout: 10
- Account Lockout Duration: 2 minutes
- Privacy
- Enable/monitor Location Services.
- Restrictions
- Allow deprecated TLS versions in Safari.
- Disallow sending diagnostics and usage data to Apple.
- Disallow Spotlight internet search results.
- Disallow use of Content Caching service.
- Safari
- Disable the automatic run of safe files in Safari.
- Manage Safari Location Services: Prompt for each website.
- Sharing
- Disable HTTP Server.
- Disable NFS Server.
- Software Update
- Check for OS updates.
- Install system data files and security updates.
- This automatically downloads and installs Security Responses, system data files and security updates, including XProtect, MRT, and Gatekeeper.
- Defer updates by type:
- When an update is deferred it means the user won't be able to see it in the Software Update section of their System Settings/Preferences until after the deferral period is over.
- Major macOS updates (e.g. going from macOS 14 to macOS 15) by 60 days.
- Minor macOS updates (e.g. going from macOS 14.1 to macOS 14.2) by 7 days.
- Non-OS updates (e.g. Safari updates) by 7 days.
- Disallow macOS beta release installation.
- Spotlight
- Disable Spotlight Suggestions.
- Sudo
- Use a separate timestamp for each user/tty combo.
- System Preferences
- Lock "Profiles" pane in macOS 12 and below.
- Require an administrator password to access system-wide preferences.
- Terminal
- Enable Secure Keyboard Entry.
- Time Machine
- Monitor encryption status of Time Machine volumes.
- Unlock Options
- Disable the ability to login to another user's active and locked session.
- User Accounts
- Don't allow guests to connect to shared folders.
- Don't allow the Guest user to log in.
- Remove the Guest user home folder.
- Wi-Fi
- Show Wi-Fi status in menu bar.