Skip to content

Apple MDM tools supported by Kandji

Apple Business Manager

Apple Business Manager is a foundational tool for businesses that want to utilize mobile device management (MDM) on their fleet. With Apple Business Manager, you can automate MDM enrollment and simplify initial device setup without touching or preparing the devices before users get them physically. It lets you automatically enroll devices into your MDM solution of choice, as long as the device has been added to your organization at the time of purchase—either by buying from Apple or a participating Apple Authorized Reseller or carrier, or through Apple Configurator. Apple Business Manager integrates with MDM solutions such as Kandji to automate device enrollment, enforce settings via configuration profiles, and distribute apps and content. *Note: As of 2019, Apple Business Manager replaced the Apple Device Enrollment Program (DEP) and Volume Purchasing Program (VPP).

Automated Device Enrollment

Automated Device Enrollment enables zero-touch deployment of corporate-owned Apple devices, giving organizations the ability to send devices directly to users without pre-provisioning them. Automated Device Enrollment enrolls devices into the MDM, so they can then receive apps and settings defined by your organization, resulting in a streamlined setup experience for users. As a result, Automated Device Enrollment is an essential solution for organizations that want to provision Mac computers with minimal effort.

Apps and Books

The Apps and Books feature of Apple Business Manager streamlines purchasing and distributing apps and content in an organization. Companies can use Apps and Books to purchase macOS apps from the App Store in bulk, then assign them to Mac computers using an MDM solution. With Kandji, tracking which apps are installed on which devices is easy.

Configuration Profiles

Configuration Profiles enforce settings, accounts, restrictions, and credentials on Apple devices. Kandji can create and manage configuration profiles pushed to your fleet, making it easier to quickly configure large numbers of Mac computers without connecting to each one individually. For example, you can create profiles that automatically configure a Mac computer’s Wi-Fi, firewall, and printer settings.

Why use Kandji to Manage Mac Computers?

Kandji manages all your devices throughout their lifecycle. Tight integrations with Apple and elegant design provide a user experience that matches what you expect when working on the Mac.

Zero-touch deployment

Kandji's zero-touch deployment feature streamlines the device enrollment process for businesses using Apple devices. When companies purchase a new Mac from Apple or an Apple Authorized Reseller, the device automatically enrolls in Kandji without any manual input. In addition, Kandji can pull user information from your identity provider, making it frictionless to provision and maintain employee devices. Zero-touch deployment is vital for admins and IT teams managing employees in remote work or hybrid settings.

Read more

App management and patching

Patch management involves identifying, downloading, and installing the latest versions of software applications, which provide security updates, bug fixes, and feature enhancements. Patching apps is a critical element of security because it ensures that software updates designed to protect against known vulnerabilities that hackers could exploit are distributed in a timely fashion. Kandji’s Auto Apps library is a catalog of business-critical software for macOS. Kandji hosts, patches, QA tests, and enforces updates on all Auto Apps within your predefined enforcement window. You can also use Kandji to deploy custom apps to your fleet.

Read more

macOS update and upgrade management

Managed OS by Kandji manages macOS updates for you. It enforces both major upgrades and minor updates through native prompts for Mac users, with a final countdown before a forced upgrade or update. As a result, you don’t have to worry about whether or not teams are running the correct macOS version on their devices. You choose between enforcing minimum versions or the latest version with a deadline that kicks in within five days after release. With Kandji, you can be confident that your macOS fleet is always up-to-date.

Read more

Device configuration and setting management

Kandji helps you manage and deploy all the settings and configurations for your Mac computers. With Kandji, you can easily set up security features like remote lock and wipe or helpful configuration options like Wi-Fi setup and account recovery. With Kandji, you configure and harden all of your Mac devices from one central location. As a result, you save time and maintain better control over your Mac security and management.

Read more

Secure off-boarding

Kandji makes it easy to off-board users who are no longer with your organization or who need to move to a new computer. With Kandji’s MDM capabilities, you can remotely lock and wipe Mac computers, erase all contents and settings, and have the Mac ready for its new owner with a fresh install of macOS. This ensures that your data stays secure and that the computer is inoperable by any unauthorized party.

Read more

Take a test run

Try our virtual demo, where our experts guide you through the top use cases and features.

Virtual Demo
Play Video

The most loved Mac device management for fast growing companies

Kandji is award-winning software for innovative leaders who run on Apple.

The ideal software stack for secure macOS management


Apple provides the MDM framework for device management vendors like Kandji to configure and provision devices remotely.


Deploys software, enforces updates, and configures security settings through Apple’s MDM framework and a proprietary agent written natively in Swift. Kandji orchestrates the device lifecycle from provisioning to off-boarding and redeployment.

Identity provider

Integrates with Kandji to allow single sign-on (SSO) for Kandji admins, populate user data in Kandji, and allow Mac users to log in with their IdP credentials. Kandji has integrations with IdP solutions including Azure AD, Okta, OneLogin, and Google Workspace.

Endpoint protection software

Kandji's Endpoint Detection & Response (EDR) feature monitors for and responds to malicious activity to shield corporate and personal data from exposure. Kandji audits and implements the installation of additional endpoint protection software to ensure users have the company-sanctioned version.

Compliance automation

Integrates with Kandji to compile security data from all your Apple endpoints, combining it with data from other sources to deliver the proof needed to pass compliance audits without disruption. Kandji integrates with Drata, Vanta, and SecureFrame for compliance automation.

Supporting BYOD and company-owned devices

A modern hybrid workforce means devices might be at home, in the office, or somewhere in between. Businesses have to think about managing devices regardless of their geographic location. Furthermore, users increasingly want to use devices they are already familiar with—including the ones they own. Kandji helps protect company data on company-owned devices and those owned by users.


Employees use their personal Apple devices, like MacBooks, iMac computers, and Mac Studio computers for work.


Companies provide their new hires with a macOS device for work use. These devices can automatically enroll into MDM at setup.

Demandbase logo

Demandbase Saves 50 Hours a Month with Automated Device Management

Read how Demandbase reduced Mac-related support tickets by 75% after switching to reliable, modern management with Kandji that automated and enforced things like OS updates.

Read the story
Background Blue waves

Manage and secure your Apple devices at scale.


Yes, Kandji integrates with Apple Business Manager to enable streamlined management of iPhone and iPad.

An Identity Provider can do many things, but its primary function is to store and serve as the source of truth for managing your users’ identities (i.e. username and password) throughout their lifecycles. An IdP can also help provide users with authenticated access to company resources and Mac login credentials via Kandji Passport.

Kandji supports macOS Big Sur 11, macOS Monterey 12, macOS Ventura 13, and macOS Sonoma 14.

Kandji uses the most appropriate method for your operating system and includes a variety of technologies behind-the-scenes. Whether you upgrade to a major OS or update to a minor OS version, users will receive the same great experience.

Unified endpoint management (UEM) is a management solution designed to work with a wide range of devices, including Windows computers, Android devices, and Apple devices. UEM is challenging because the various platforms have different release cycles, provisioning systems, and deployment and management methods. UEM systems are architected in a way that serves all platforms but doesn't necessarily use the complete feature set that each provides. Conversely, MDM solutions focus on specific platforms. Kandji utilizes the MDM framework from Apple along with a macOS agent built on SWIFT, which goes beyond MDM’s capabilities to configure and update Apple devices.

Kandji can ensure that data stored on the device is encrypted for all Apple devices. If the device is lost or stolen, an attacker won't be able to access the data without the password (Mac) or passcode (iPhone or iPad). The data is automatically obliterated after a number of failed login attempts. You can disallow iCloud backups, so users can't restore backups that contain corporate data to personal devices. And for iOS and iPadOS devices, you can restrict corporate data to being used only by apps installed by Kandji.

Kandji includes a native macOS agent, written entirely in Swift, extending Apple's MDM framework capabilities. It communicates with Kandji to enforce new policy changes. It can even remediate many policy controls when a device is fully offline.

With Kandji, you can completely block the App Store and still install apps, including those licensed using Apps and Books in Apple Business Manager, those downloaded from Kandji's pre-built Auto Apps library, or your own custom apps. Many companies choose to allow the use of the App Store but restrict the ability to share corporate data with apps that were not deployed by MDM.

Yes, endpoint protection software and VPN clients can be deployed to Apple devices either through the App Store (if applicable) or by using a Custom App library item for Mac devices. Once deployed, the Kandji agent works to ensure that these apps remain installed.

Kandji has a robust set of pre-built libray items for managing devices that automatically create the necessary configuration profiles, so you don't need to create them manually. You can also upload custom configuration profiles to deploy to your devices.

Settings enforced via configuration profiles are those provided by Apple as part of the MDM framework. Configuration profiles take care of most of the settings administrators choose to enforce. For any not included in the MDM framework, the Kandji Agent for Mac computers extends those capabilities and checks every 15 minutes that additional settings are enforced. Settings enforced by the Kandji Agent can even be remediated fully offline if they change.

Kandji supports managing all Apple operating systems, including macOS, iOS, iPadOS, and tvOS.

Yes, like Kandji, most MDM systems can manage tvOS.

Yes. In Apple Business Manager or Apple School Manager, configure the device to be required to enroll in Kandji. You can even configure Apple Business Manager or Apple School Manager to automatically require all new devices your organization purchases to be enrolled in Kandji. When a user turns on the new device and connects it to the internet, the Setup Assistant on the device will display the Remote Management screen. The user can't use the device until they continue with Setup Assistant and allow the device to enroll in Kandji automatically. You can optionally configure Kandji to require user authentication via credentials from your organization's identity provider (IdP) before the device is allowed to enroll.

Apple or an Apple Authorized Reseller can automatically add those devices to your Apple Business Manager instance when you purchase your devices. You can then automatically assign those devices to your MDM or manually assign them in the Apple Business Manager interface. When a user turns on the new device and connects it to the internet, a Remote Management screen prompts them to enroll in Kandji. The user must continue enrolling into Kandji before the device is usable.

Yes, Kandji supports users enrolling devices through a secure web portal. Apple Business Manager can streamline enrollment into Kandji, but it is not required. To add Mac computers to Apple Business Manager after purchase, use Apple Configurator for iPhone. Add iPhone, iPad, and Apple TV devices to Apple Business Manager using Apple Configurator 2. Apple requires that Mac systems and Apple devices added to Apple Business Manager after the time of purchase are erased and that they have not been provisioned.