Kandji Agent and MDM

This guide applies to macOS and Windows

macOS
Windows

About the macOS Agent

Iru Endpoint’s proprietary macOS agent extends the functionality of our platform beyond what the MDM framework can achieve by itself. The Kandji Agent for macOS is custom-built using Swift, a streamlined programming language specifically designed for Apple devices. Additionally, the Kandji Agent installs and uses a system extension leveraging Apple’s Endpoint Security framework, both for added device management functionality as well as for EDR and Vulnerability Management.

How the MDM Framework Works

Using Apple’s MDM framework in macOS, iOS, iPadOS, and tvOS, administrators can deploy and configure apps and settings, collect device information, and remotely lock or wipe devices. This can be done with corporate-owned as well as Bring Your Own Device (BYOD) devices.One advantage of using Apple’s MDM framework is how quickly it can communicate with devices. That means commands (such as to lock or erase devices) are implemented almost instantly. This is made possible by the Apple Push Notification service (APNs). Apple devices are constantly polling APNs for notifications requesting that managed devices check in with their MDM servers. Because of this constant polling, management of online devices can happen almost instantly.

Actions Performed by the Kandji Agent

App Blocking: The Kandji Agent blocks applications specified using the App Blocking Library Item and presents the Iru Endpoint dialog window to end-users. App blocking is handled by the Kandji system extension to ensure blocks happen as quickly and effectively as possible.
Auto Apps: Installation and enforced updates for Auto Apps are handled via the Kandji Agent.
Collection of additional computer details: The full application list, as well as other system details, can’t always be pulled via the MDM framework. The Kandji Agent helps pull these other details. Application inventory data in Prism is gathered by the Kandji system extension, allowing it to be made available in near real-time.
Custom Apps: Installation of DMG, PKG, and ZIP files. Running the audit, pre-install, and post-install scripts and forcing restarts if that option is enabled. See Custom Apps for details.
Endpoint Detection and Response: EDR and its associated scans are completed using the Kandji Agent.
Parameters: Most Parameters go beyond the MDM framework. For example, the Manage SSH Config parameter requires the Kandji Agent to write to the SSH config file.
Scripts: All scripts are run as root by the Kandji Agent. See Custom Scripts for details.
Vulnerability Management: Vulnerability Management and its associated scans are completed using the Kandji Agent.

Actions Performed by MDM

Apps and Books installation (formerly VPP): Apps acquired via Apple Business Manager and deployed via Iru Endpoint are installed by leveraging the MDM protocol. See Configure Apps and Books and Add Apps from Apps and Books.
Automated Device Enrollment (formerly DEP): Automated Device Enrollment leverages the MDM protocol to enroll devices during setup.
Kandji Agent installation: When a macOS device is enrolled into Iru Endpoint, one of the first commands initiated is the InstallEnterpriseApplication command to install the Kandji Agent.
Kandji Agent re-installation: When a macOS device has checked in via MDM in the last 7 days, but not via the Kandji Agent in the last 7 days, an InstallEnterpriseApplication command will be automatically sent in an attempt to reinstall the Kandji Agent. See Troubleshooting Agent Check-Ins if the agent is not checking in.
MDM Commands: Commands such as those available in the device Action menu are sent via the MDM protocol.
Over-the-air enrollment profiles: When users navigate to the enrollment portal and download the enrollment profile, the communication between the device and Iru Endpoint to enroll the device is done via the MDM protocol.
Profile Installation: MDM profiles are delivered via the MDM protocol. See Library Overview for how profiles and Library Items are managed.

About the Windows Agent

Windows devices in Iru Endpoint are managed through a combination of Windows MDM (mobile device management) and the Kandji Agent. The Kandji Agent handles application management (installation and upgrade) and gathers application inventory from devices; MDM handles device policies and configuration. The agent checks in every 15 minutes. Devices are enrolled via the Enrollment Portal; the agent is installed automatically as part of MDM enrollment.

How the MDM Framework Works

Windows includes a built-in management component that communicates with the management server using the MDM protocol. Using Windows MDM, administrators can enroll Windows devices, deploy configuration profiles and system policies, and send commands such as wipe or retire. When you make changes in the Iru Endpoint Web App, requests are sent via Windows Push Notification Services (WNS). Managed Windows devices that are online typically respond within minutes.

Actions Performed by the Kandji Agent

Policies not delivered via MDM: The Kandji Agent retrieves and enforces policies assigned to Blueprints that are not deployed through the MDM channel.
Auto Apps: Installation and updates for assigned Auto Apps are handled via the Kandji Agent.
Application inventory: The agent collects and submits the full application inventory to Iru Endpoint on each check-in. See Device Check-In for check-in frequency and behavior.
Agent updates: The agent updates itself to a newer version when available.
Custom PowerShell scripts: The Kandji Agent also runs custom PowerShell scripts. See Custom Scripts for details.

Actions Performed by MDM

Device enrollment: When users enroll via the Enrollment Portal, the connection between the Windows device and Iru Endpoint is established through Windows MDM. The Kandji Agent is installed as part of enrollment. See Windows Enrollment and User Experience with Windows Enrollment for setup and end-user steps.
System policies: MDM handles Wi-Fi, Windows Firewall, BitLocker, and other system policies delivered via the MDM channel. These align with Microsoft’s MDM security baseline technologies. Configure via Library Items such as Wi-Fi, Windows Firewall, and BitLocker.
Event-driven commands: Commands such as wipe or retire a device and deploy a configuration profile are sent via WNS and typically apply within minutes when the device is online. See Device Check-In for details.
Daily MDM check-in: A full sync every 24 hours validates system configuration against admin intent, remediates drift, and collects daily device information (system info, hardware inventory, policy status).
Profile Installation: Configuration profiles are delivered via the MDM protocol. See Library Overview for how Library Items and profiles are managed.

For Windows agent troubleshooting (force check-in, reinstall), see Troubleshooting Agent Check-Ins. Windows agent logs are located at %ProgramData%\kandji\agent\logs.

General

Devices

Agent

Blueprints

Enrollment

Library

Deployment Guides

Settings

Integrations

Endpoint Detection & Response

Vulnerability Management

API

Kandji Agent and MDM

About the macOS Agent

How the MDM Framework Works

Actions Performed by the Kandji Agent

Actions Performed by MDM

About the Windows Agent

How the MDM Framework Works

Actions Performed by the Kandji Agent

Actions Performed by MDM

General

Devices

Agent

Blueprints

Enrollment

Library

Deployment Guides

Settings

Integrations

Endpoint Detection & Response

Vulnerability Management

API

​About the macOS Agent

​How the MDM Framework Works

​Actions Performed by the Kandji Agent

​Actions Performed by MDM

​About the Windows Agent

​How the MDM Framework Works

​Actions Performed by the Kandji Agent

​Actions Performed by MDM

About the macOS Agent

How the MDM Framework Works

Actions Performed by the Kandji Agent

Actions Performed by MDM

About the Windows Agent

How the MDM Framework Works

Actions Performed by the Kandji Agent

Actions Performed by MDM