Information about Iru (formerly Kandji) at the UofA

Introduction

This article goes over what Iru is and how it is implemented at the University of Alberta.

Applicability

This article is for anyone at the UofA who uses an Apple computer enrolled in the Iru system.

Details

Note: Iru is in the process of switching everything over to the new Iru branding, so some things will still say Kandji. The names will eventually be updated to Iru across the entire app suite and the icon will change to a jellyfish from the current bee.

Iru is a Mobile Device Management (MDM) platform that is used to manage Apple computers. It has the capability to install/update applications, run scripts, enforce Operating System updates, and apply policies to a computer. An MDM solution like this is required for Apple computers because they cannot be managed through a central computer domain like PCs can. When a system is enrolled in Iru, it checks in with the Iru servers periodically throughout the day (when internet is available) to see if there's anything new that needs to be downloaded and/or applied.

Appearance

Once a computer is enrolled in Iru, you will see a bee icon on the menu bar in one of two states:

Normal:
Attention needed:

Clicking on the icon will bring down a quick menu where you can access Iru's Self Service application, or see any updates that need to be applied:

The Self Service application is where you can install applications that are not installed by default (e.g. Google Drive or Microsoft Outlook) or printer drivers:

You can also click Device Info to see information about your computer, and to perform a manual Sync with Iru if needed (manual syncs are useful so that you can be sure your system is up to date before something like a meeting):

More information about Self Service can be accessed at this KB article from Iru.

Managed OS Updates

This feature makes sure that the operating system on a computer is kept up to date.
An enforcement period is set based on what type of update is released:
- Major macOS updates (e.g. going from macOS 14 to macOS 15) are enforced 6 months after Apple releases them.
- Minor macOS updates (e.g. going from macOS 14.1 to macOS 14.2) are enforced 2 weeks after Apple releases them.
- Rapid Security Responses (macOS 14+) are enforced 2 days after Apple releases them.
After the deferral period (set below by the Software Update setting), a user will be able to install an update themselves.
Iru has written an article describing how a user will experience this.

Applications

There are a few different kinds of applications that Iru installs:

Applications installed or updated during a computer's initial enrollment in Iru for which updates are enforced.
- When an update for one of these applications comes out, Iru will install it right away as long as the application isn't open.
  - If it is open, the user will be notified that an update needs to be applied and that they have 7 days to do it.
  - At the end of that period, if the application has not been closed, Iru will force the application to close and install the update.
  - At any point during that period the user can choose to do the update manually by clicking the Iru icon and clicking the update button next to the application.
- These applications are mandatory and, if not found on the system, will be reinstalled during the computer's next check-in with Iru:
  1. Cisco Secure Endpoint (campus security software)
  2. Device 42 Agent (campus network inventory software)
  3. Lansweeper Agent (campus network inventory software)
- These applications can be removed by the user but will be updated if they are installed:
  1. Adobe Acrobat Reader
  2. Google Chrome
  3. Microsoft Office (Excel, PowerPoint, Word) - macOS 14 and above
  4. Mozilla Firefox
  5. VLC
Applications installed once during the initial enrollment for which updates are not enforced.
- List:
  1. Microsoft Office Serializer (installs the UofA site license for Office for Mac) - macOS 13 and above
  2. OpenJDK (also available in Self Service)
Applications available in Self Service for which updates are enforced.
- These are not installed during the initial enrollment.
- If they are installed then they follow the same enforcement method/timeframe as the first type of application in this list.
- List:
  1. Google Drive
  2. Microsoft Auto Update
  3. Microsoft Office (OneNote, Outlook) - macOS 14 and above
  4. Microsoft Teams
  5. Thunderbird
  6. Windows App
  7. Zoom
Applications available in Self Service for which updates are not enforced.
- These are not installed during the initial enrollment.
- List:
  1. Cisco AnyConnect (campus VPN software, this updates itself)
  2. Citrix Workspace
  3. HP Printer Drivers (v6.1.0.1 from HP)
  4. Xerox Printer Drivers - macOS 12 and above

App Blocking

Currently only Oracle Java apps are blocked on UofA systems. This is because Oracle's license disallows everyone from installing Java without a paid license aside from those using it for personal uses.

Scripts

There are a few scripts that Iru runs on each computer:

Remove Munki
- This script is used for removing the Munki service from computers.
- Munki was one of the MDM solutions we had tried before going with Iru.
- It runs only once on each computer.
Remove Oracle Java
- This script checks daily to see if Oracle Java has been installed and removes it if found.
Install Rosetta for Apple Silicon
- This script installs the Rosetta software on Silicon based Macs (the ones where they have an Apple "M" processor).
- This allows for software written for the previous generation of Macs, those that had Intel processors, to work on these newer systems.

Settings

These are the settings that are enforced:

Auditing Policies
- Secure access to audit records.
- Set retention for security auditing to 60 days or 1024MB.
Computer Name and Localhost Name
- Set Computer Name to the serial number.
Date & Time
- Ensure date and time is set automatically using time.apple.com.
  - Note: We initially used the campus time server (time.srv.ualberta.ca), but access to that server has been restricted to on-campus networks only. The difference between the UofA's and Apple's time servers is usually only a few microseconds at most.
- Ensure time is within appropriate limits.
Energy Saver
- Desktops
  - Turn off display after 30 minutes of inactivity.
  - Start automatically after power failure.
- Portables on Battery
  - Turn off display after 20 minutes of inactivity.
  - Put hard disks to sleep when possible.
- Portables on AC Power
  - Turn off display after 30 minutes of inactivity.
File and Folder Permissions
- Check Applications folder for appropriate permissions.
- Check System folder for world writable files.
- Enable System Integrity Protection (SIP).
- Secure user home folders.
FileVault (device encryption)
- Enabled on all computers.
- Recovery keys are escrowed to the Iru servers.
- Report encryption status of attached APFS and CoreStorage volumes.
Gatekeeper
- Allow apps downloaded from anywhere (disable Gatekeeper).
IPv6
- Disable IPv6.
Log Retention
- Set retention for install.log to 365 days.
Login & Background Items
- Specifies that specific background/login applications can't be disabled:
  - All Cisco applications
  - BeyondTrust (UofA's remote support software)
  - Lansweeper/Device 42 agents
  - Other apps that are automatically installed/update (e.g. Adobe Acrobat Reader DC) may have items in this list as well.
Login Window
- Disable automatic login.
- Display password hint after 4 failed attempts.
- Show a list of users on the computer.
- Show the input menu and additional computer details in the menu bar.
- Show the message "For UofA computer help please call the Staff Service Centre @ 780-492-8000.".
Media Access
- All media types allowed.
- Disable media auto actions (e.g. running the install file on an inserted application disk).
Passcode
- Require alphanumeric passcode.
- Minimum Passcode Length: 8 characters
- Minimum Complex Characters: 1 character
- Passcode History: 5 previous passwords not allowed
- Require Passcode After Sleep or Screen Saver Begins: 1 minute
- Maximum Failed Attempts Before Account Lockout: 10
- Account Lockout Duration: 2 minutes
Privacy
- Enable/monitor Location Services.
Restrictions
- Allow deprecated TLS versions in Safari.
- Disallow sending diagnostics and usage data to Apple.
- Disallow Spotlight internet search results.
- Disallow use of Content Caching service.
Safari
- Disable the automatic run of safe files in Safari.
- Manage Safari Location Services: Prompt for each website.
Sharing
- Disable HTTP Server.
- Disable NFS Server.
Software Update
- Check for OS updates.
- Install system data files and security updates.
  - This automatically downloads and installs Security Responses, system data files and security updates, including XProtect, MRT, and Gatekeeper.
- Defer updates by type:
  - When an update is deferred it means the user won't be able to see it in the Software Update section of their System Settings/Preferences until after the deferral period is over.
  - Major macOS updates (e.g. going from macOS 14 to macOS 15) by 60 days.
  - Minor macOS updates (e.g. going from macOS 14.1 to macOS 14.2) by 7 days.
  - Non-OS updates (e.g. Safari updates) by 7 days.
- Disallow macOS beta release installation.
Spotlight
- Disable Spotlight Suggestions.
Sudo
- Use a separate timestamp for each user/tty combo.
System Preferences
- Lock "Profiles" pane in macOS 12 and below.
- Require an administrator password to access system-wide preferences.
Terminal
- Enable Secure Keyboard Entry.
Unlock Options
- Disable the ability to login to another user's active and locked session.
User Accounts
- Don't allow guests to connect to shared folders.
- Don't allow the Guest user to log in.
- Remove the Guest user home folder.
Wi-Fi
- Show Wi-Fi status in menu bar.