Kandji Raises $100M to Advance Apple in the Enterprise | Learn More

Skip to content

Why Kandji for Endpoint Detection & Response

Stop threats before they happen

Informed by Apple’s Endpoint Security framework events, Kandji can gather all metadata on a file, analyze it, detect the potential for malicious activity, and quarantine it — all in the span between a user clicking download and the download completing.

Fastest time to value

All of Kandji’s capabilities are purpose-built for Apple technologies and deployed by a single agent. This approach drives fast implementations and puts Mac endpoint protection within reach of every team.

Broadest coverage of the macOS threat landscape

Armed with hundreds of millions of malware definitions, data from the world’s leading threat feeds, and a team of threat researchers feeding the detection engine, our intelligence is among the Mac world’s most comprehensive.

Watch the launch event

Watch the launch event replay on YouTube. See the beginning of a new chapter in Endpoint Detection & Response for Mac.

Key functionality

Kandji’s Endpoint Detection and Response combines both pre-execution and post-execution methodologies. This approach allows us to apprehend almost all known malware variants while using behavioral analytics to identify unknown threats based on typical execution actions.

Monitor all files and applications on the Mac

Hook into Apple’s Endpoint Security Framework

Kill processes

Scan files in real time to determine if they are malicious

Quarantine files

Provide alerts and notifications

Enforce custom allow/block lists

Add security controls and Data Loss Protection (DLP) to USB

Protect mode

In Protect Mode, admins can configure the posture to protect against malware and PUPs. The Kandji Agent automatically identifies and kills any malicious processes and quarantines malicious files.

Detect mode

In Detect Mode, the Kandji agent identifies but takes no action on the file or process exhibiting malicious behavior. Detections generate an alert to the admin, who can view them from the Kandji web app or integrate them with communication tools like Slack.

Allow/Block List Customization

Enforce allow/block lists by file hash and path. The Kandji Agent ignores allowed items when encountered on a device while treating block list items as malware in the system.

Threat event analysis

The threat events view provides information such as the threat name and classification, along with any relevant actions and their dates. Threat events are viewable at the device level or in the collated threat events view.

Frictionless quarantine release

In cases where the wrong file is apprehended, admins can release it from quarantine across all devices and add it to the allow list in one easy workflow.

The experts behind our insight


Researchers compile detailed findings for detection engineers to ensure Kandji is always up-to-the-minute on the latest attack vectors on the Mac. Sources include:

Reverse engineering tools
Threat Intelligence feeds
Current exploitation trends

Detection Engineers

Detection Engineers curate detection methods and prevention strategies on current and future malware variants with inputs informed by:

Kandji Researchers
Behavioral analytics from system events
Unknown files from endpoints
Background Amber waves

Manage and secure your Apple devices at scale.