The Kandji Team

Agent Update

AUTHOR: The Kandji Team

 ㅤ   Kandji Agent Version - 3.5.1 (2270) : The Kandji Agent, specifically the parameter-agent has multiple improvements with this release: Performance improvements:

  • Running the agent with sudo kandji run will be noticeably quicker, especially in offline mode. This is achieved by various performance improvements throughout the parameter-agent.

  • This agent release adds support for running Parameters on macOS 12.3

Parameter Audit Improvements: Multiple parameters have been updated to provide more detailed audit logging on their current enforcement status:

  • Disable Remote Management reports access options checked per user in System Preferences. Disable Bluetooth Sharing reports what is being shared, what other devices can browse and modes of sharing.

  • Hot corner Parameters report what each corner is set with, per user.

  • Disable Media Auto Actions now reports what actions were enabled, including paths to custom scripts or applications set to launch on media insertion.

  • Time Machine Parameters include more information about backups destinations and the state of backups in progress.

Some Parameters also no longer require relaunching apps or processes in order to take effect. These include Parameters such as:

  • Enable Secure Keyboard Entry in Terminal takes immediate effect, even if Terminal is open and being used.

  • Dozens of Parameters refactored with performance and reliability improvements. Significant logging improvements for the Parameter Agent; full blueprint Parameter results are now logged with a [Parameter] tag.

Additionally, multiple parameters have been updated to leverage better system tooling for audit logic, which will result in better auditing and enforcement of parameters. You may notice additional remediations due to this improved auditing logic. Deprecations:

  • macOS 10.13 High Sierra is no longer supported in this version. Update devices to macOS 10.14 Mojave or higher.

The Following Parameters will no longer be enforced by the Kandji Agent, and will be removed from the web app on April 6, 2022. Please ensure you have migrated to the appropriate Library Items, so please review our support article.

  • Enable FileVault 2

  • Escrow FileVault Recovery Keys to Kandji

  • Manage Screen Saver

  • Restrict App Store app installs and software updates to admin users

  • Disable Beta Updates

  • Automatically check for updates

  • Automatically download and install security updates

  • Download macOS and App Store app updates in the background

  • Automatically install macOS updates

  • Automatically install App Store updates

  • Delay software update availability

  • Disable software update notifications

  • Restrict App Store to software updates only

  • Manage media access

  • Disconnect all media at logout

  • Manage disc burning

  • Display login window as name and password

  • Disable and remove password hints

  • Disable fast user switching menu

  • Enforce a custom message for the lock screen

  • Log out inactive users

  • Manage Gatekeeper

  • Disallow users from overriding Gatekeeper settings

  • Ensure Firewall is configured to log

  • Enable Firewall

  • Enable stealth mode

  • Block all incoming connections

  • Block built-in apps from receiving incoming connections

  • Block downloaded apps from receiving incoming connections

  • Enable detailed firewall logging

  • Disable waking for network access

  • Disable sleeping when connected to power

  • Disallow unlock with Apple Watch

  • Disallow unlock with Touch ID

  • Disallow sending diagnostic and usage data to Apple

  • Disable Content Caching

  • Disallow AirDrop

  • Disallow password sharing via AirDrop Passwords

  • Disable Camera

  • Disable Safari AutoFill

  • Disallow Safari Password AutoFill

  • Disallow Game Center

  • Disallow iCloud Desktop & Documents Sync

  • Disallow iCloud Drive

  • Disallow iCloud Photos

  • Disallow iCloud Mail

  • Disallow iCloud Contacts

  • Disallow iCloud Calendar

  • Disallow iCloud Reminders

  • Disallow iCloud Bookmarks

  • Disallow iCloud Notes

  • Disallow iCloud Keychain Sync

  • Disallow password proximity requests

  • Lock screen after Screen Saver or sleep begins

  • Disallow simple passwords

  • Maximum failed login attempts

  • Account lockout duration

  • Minimum number of complex characters

  • Minimum password length

  • Require alphanumeric password

  • Maximum allowed password age

  • Password history

  • Force user to reset password at next authentication

  • Custom Compliance Scripts

  • Disable Java 6 from being the default Java runtime

  • Manage Adobe Flash Player

  • Disable Handoff

  • Disable Siri

  • Disallow Find My Mac

  • Force Install macOS updates after specified time period

  • Disable the Infrared Receiver if no paired devices exist

  • Disable FTP Server

  • Set retention for authd.log

  • Set retention for appfirewall.log

  • Set retention for system.log

  • Advanced Password Management BETA

  • Restrict NTP server to loopback interface

  • Disable console login

  • Set a Firmware Password BETA

  • Watchman Monitoring Client

  • Enable OCSP and CRL certificate checking

  • Disable Bluetooth Discoverable Mode when not pairing devices

  • Ensure display sleep interval is greater than Screen Saver interval

  • Manage number of allowed firewall rules

  • Disable Internet Plug-Ins for global use in Safari