Introducing Auto Apps, SCEP Profile, and More

Posted on February 27, 2020

The Kandji team is excited to announce Auto Apps, a library of applications that Kandji pre-packages, hosts, and automatically patches. 

We also released several other updates to provide IT teams with the most modern Apple device management experience, such as new Profiles (SCEP, AirPlay Security, Login Window), Parameters (Set Computer Name), Global Profile Variables, and more.

In case you missed it, we also released tvOS support and new assignment workflows last month.

 

Auto Apps

Auto Apps are designed to streamline Mac patch management for apps that are not available in the Mac App Store. Apple does an excellent job of automatically updating App Store apps without disrupting the user experience. However, as any Mac admin knows, there are many Mac apps that are not available in the Mac App Store, and those can be a challenge. As an IT team, it can be incredibly time-consuming to manually manage patches and updates for a large number of business applications.

Auto Apps are pre-packaged, hosted, and automatically updated – forever. Kandji has loaded 20+ of the most common business apps that are not available in the App Store into our Library and will govern versioning for all those apps moving forward, so you have peace of mind without manual package management work. We’ll be adding more apps every month based on customer feedback.

Auto Apps - mobile-1

You can choose whether you want updates enforced automatically or manually. A manual update can be used on a specific date if a certain patch is needed (such as the infamous Zoom vulnerability in 2019). 

You can also automatically Add to Dock, a unique feature enabled by Kandji’s macOS Agent. If a user uninstalls the app, the Agent will actually reinstall it and re-add it to the dock on the next check-in.

With Auto Apps, you can also have peace of mind that your end users won’t be disrupted by unnecessary or confusing user approval requests. Every single Auto App includes:

  • Notification whitelisting: Enables a silent install without the user being notified
  • Kernel Extension (KEXT) whitelisting: Ensures users will not receive prompts to approve Kernel Extension access
  • PPPC (Privacy Preferences Policy Control Profile): Lets apps access protected user and system resources without the user being prompted to approve the action

kandji auto apps end user-1

To learn more about best practices for deploying apps, read our Guide for Apple IT: App Deployment for macOS.

 

Profile & Parameter Updates

Global Profile Variables

Global Profile Variables can now be used in any profile in Kandji. Global Profile Variables are not only required for use in a SCEP Profile, but they are also useful in many different profiles. A great example is the Conference Room Display Profile, where you can type in any variable to display as a custom message on your Apple TV screen:

kandji profile variable asset tag conference room display-1

Global variables include:

  • Serial Number
  • Device Name
  • Asset Tag
  • UDID (Unique Device Identifier)
  • Profile UUID (Universally Unique Identifier)

New SCEP Profile

Along with Auto Apps, the Kandji team has also implemented a SCEP Profile. A SCEP (Simple Certificate Enrollment Protocol) profile enables over-the-air delivery of certificates. This allows you to easily leverage device certificates for services such as:

  • Network Access
  • VPN
  • Marking a trusted device using an Identity Provider

Over-the-air delivery creates a seamless experience for your end users; for example, whenever an employee enters a company building, they can automatically connect to Wi-Fi without having to enter a password.

SCEP profile kandji apple mdm

One of the challenges with these certificates, however, is that best practices require certificates to expire and be reissued. That way, if an employee’s device is compromised, no one else has untapered access to sensitive information. It’s not safe to simply provide a device with a certificate that never expires, but it can be complicated to reissue.

To solve this challenge, the Kandji team took a unique approach to the SCEP Profile by including automatic profile redistribution. 

scep automatic profile redistribution

This gives you the best of both worlds – you can keep your information secure without the friction of manually reissuing certificates.

New AirPlay Security Profile

The new AirPlay Security Profile comes on the heels of our tvOS release last month, and allows you to manage how an Apple TV accepts AirPlay requests. 

For example, you can choose to only allow connections from a device that is on the same Wi-Fi network. You can also control whether a passcode is required for every AirPlay request, or only when a particular device is requesting an AirPlay connection for the first time.

airplay security profile kandji apple mdm

New Login Window Profile

The new Login Window Profile is used to manage both visual and control elements of a device’s login window, giving IT teams a lot of granularity around how a macOS device can be accessed. The most common use case is displaying a custom banner on the login window, which can include Global Profile Variables such as Computer Name, but you can also restrict what options a user has at the login window and Apple menu.

kandji login window profile

Configuration options include:

  • Menu Bar: Choose whether or not to display the keyboard input menu, show additional details such as macOS version, network account info, and more
  • User Visibility: Hide local users, admins, or the “other” button, and choose whether to display individual user icons or username and password fields
  • Banner Text: Display a custom message at the bottom of the login window and lock screen
  • Options: Hide several buttons such as Sleep, Restart, Shut Down, or password hints
  • Logged-In Users: Hide various buttons for users who are logged in, such as Restart, Shut Down, Lock Screen, or Log Out

Custom Profile Scoping by Device Type

Kandji admins now have more granular options around how a Custom Profile is scoped to device types. In addition to selecting which Kandji Blueprint you would like to assign the profile to, you can also limit assignment to any combination of Mac, iPhone, iPad, or Apple TV devices.

kandji custom profile scoping by device

This is just a preview of what is to come – stay tuned for more enhanced assignment capabilities in future releases.

New Delete User Account Command

In some cases, it is important to be able to delete a local user account on a macOS device. For example, if an employee leaves the company or their local login is compromised, it is now possible in Kandji to remotely delete that local user.

kandji delete user command-1

Note that the Delete User Command does require Device Supervision on macOS. To learn more, read our guide to device enrollment, UAMDM, TCC, and supervision.

Set Computer Name Parameter

The Set Computer Name and Localhost Name Parameter, one of the most popular of our 150+ pre-built macOS controls, is now out of beta. This powerful control allows you to combine multiple variables to create a dynamic device name, including an option for custom text, asset tagging, Blueprint name, and more.

Set Computer Name Parameter-1

 

With innovation and iteration at the core of everything we do, we’re constantly building solutions to give you more of what you need and improve upon features you already love. With Kandji, you can be confident that your Apple fleet is in safe and secure hands from deployment to retirement. Request access to Kandji today.