Kandji MDM Integration Guide

Introduction

This document describes how to integrate a Kandji tenant with a Beyond Identity tenant, create an authentication policy based on the device being managed or unmanaged, and test the authentication policy. 

Contents

• Integrate Kandji with Beyond Identity – Kandji Configuration
  • API Rate Limit
  • Generate an API Token
• Integrate Kandji with Beyond Identity – Beyond Identity Configuration
• Push the Beyond Identity Authenticator to Devices
• Configure the MDM Authentication Policy
• Test the MDM Authentication Policy

Integrate Kandji with Beyond Identity – Kandji Configuration

API Rate Limit

The Kandji API currently has an API rate limit of 10,000 requests per hour per tenant. 

Generate an API Token

Kandji uses API tokens tied to the user that created it. We suggest creating a service user to create your Beyond Identity API token to prevent unexpected issues. 

1. Login to your Kandji tenant and navigate to Settings
2. Click Access in the top navigation bar
3. Scroll down to the API Token section and click Add Token
4. Give the token a Name and click Create
   
5. Click Copy Token and check the acknowledgement box
   Make sure to save the token in a safe place. You will not be able to see it again
6. Click Next
   
7. Click Configure
   
8. Scroll down to the Devices section and check the following options:
   a. Device details
   b. Device list
   c. Device Parameters
9. Click Save

Integrate Kandji with Beyond Identity – Beyond Identity Configuration

1. Login to the Beyond Identity Admin console.
2. Go to Integrations > Endpoint Management > Kandji.
   
   
3. Click the download icon to the right of Kandji. 
4. Enter the following information obtained from Kandji Admin UI.
   • Host URL (e.g. https://example.api.kandji.io)
   • API Token

5. Click Save Changes.

If there is any error in the URL and/or the API Token Permissions, you may see an “input_invalid” error. Make sure to use the base URL only and GET operation permissions for the API token.

Push the Beyond Identity Authenticator to Devices

macOS

How to Deploy the macOS Beyond Identity Authenticator via Kandji

iOS/iPadOS

How to Deploy the iOS Beyond Identity Authenticator via Kandji

Configure the MDM Authentication Policy in Beyond Identity

1. Log into the Beyond Identity Admin console.
2. Navigate to Policy >Edit Policy > Add Rule.
3. Create a rule to Deny authentication if the macOS device is not MDM Enabled.
   •  
     1. Under For any transaction, select Authentication.
     2. Under If device platform is, select macOS.
     3. Under If integration is, select Kandji > API is  > available.
     4. Under If integration is, click Add attribute and add this attribute under AND:
        Kandji > Device is managed > is > False
     5. Under Then, select Deny.
     6. (Optional) Add a custom error message under Customize notification. 
        
         
4. Click Add.
5. On the Edit Policy page, click Publish changes to publish the rules.
   
   
    

Test the MDM Authentication Policy

Verify the macOS policy:

1. Log into the Beyond Identity Admin console first from a macOS computer that is enrolled in Kandji MDM and then from a macOS computer that is not enrolled in Kandji.
2. Confirm that the policy behavior is as expected.
3. Check the Events tab to ensure that the correct rule is triggered.

Verify the iOS policy:

1. Log into the Beyond Identity Admin console first from an iOS/iPadOS device that is enrolled in Kandji MDM and then from a iOS/iPadOS device that is not enrolled in Kandji.
2. Confirm that the policy behavior is as expected.
3. Check the Events tab to ensure that the correct rule is triggered.