Kandji is a comprehensive Apple device management and security platform. Device information is pulled into Secureframe for security and compliance verification.

Setup

To integrate Kandji with Secureframe, navigate to Integrations and search for “Kandji” on the “Available” page. (If you have the Custom Integration feature, click on "Add native connection"). Click “Connect” and follow the steps in the connection form. Be sure to select the region that is applicable to you.

Configuration

For a device to pass the checks in Asset Inventory, it must be enrolled in an Assignment Map or Blueprint that has these Library Items:

• Kandji Level I - FileVault
• Kandji Level I - Firewall
• Kandji Level I - Gatekeeper
• Kandji Level I - Passcode

You may use levels higher than "I" as long as you have library items with these names.

How to set up an Assignment Map / Blueprint and enroll devices

1. Click "New Blueprint" and then "New Assignment Map"
   
   
   
2. Select "Kandji Level I"
   
   
   
3. Edit the name as desired, then click "Create Blueprint"
   
   
4. Click the "Devices" tab, then "Add devices"
   
   
   
5. You can instruct users to visit the Enrollment Portal and provide them with the enrollment code for this Blueprint that you just created.
   
   
6. If you want to automate device enrollment, please refer to Kandji's documentation.

Permissions, Fields Pulled, Controls, and Automated Tests

We provide this information within Secureframe. Either click this link or:

1. Navigate to the “Integrations” page.
2. Select the “Available” tab.
3. Search for Kandji.
4. Click “View Details”.

Frequently Asked Questions (FAQ)

I am having an issue with my Kandji integration?

• The most common issue with Kangji is missing permissions. I would recommend you check and verify that the following permissions are selected and saved in your settings? Those Kangji permissions can be found here.
• Additionally, please ensure that the Kandji API URL is correctly configured.

Why is the “Hard drive encryption for user endpoints (Kandji)” test failing even though Kandji shows Disk Encryption as enabled?

The test doesn’t just check whether disk encryption is turned on — it specifically looks for the successful application of a Kandji MDM policy with “FileVault” in the name and a status of "success."

Here are a few reasons the test might fail even if disk encryption looks enabled in Kandji:

1. The device hasn’t checked in recently

   • If Kandji hasn't received recent data from the device, the required FileVault policy status may be missing or outdated. This is the most common cause of failure.

   • Example: A device last seen several months ago won’t have updated profile or encryption status, even if it’s technically encrypted.

2. Missing or incomplete profile audit logs

   • If there's no recent audit log confirming that the FileVault profile was successfully installed, the test will fail.

3. Escrow status is not a factor for this test

   • While Recovery Key escrow is important, our test does not require escrow status to pass — it only checks for successful FileVault profile installation.

To resolve:

• Make sure affected devices are online and have recently synced with Kandji.

• In Kandji, confirm that:

  • A FileVault profile is applied to the device.

  • The profile shows a status of “success.”

You can also compare the logs of a failing device to a passing one to pinpoint the gap.