An in-depth review of the Kandji platform from Rocketman Tech
Rocketman Tech helps organizations succeed with Jamf, offering consulting and tools to simplify the management process. In this blog, Chris Schasse — Founder, Owner and Lead Engineer at Rocketman Tech — recaps his in-depth comparison of Kandji and Jamf Pro.
Chris was not compensated for this blog post; these views are his alone and not endorsed by Jamf.
Like many organizations, at Rocketman Tech we enroll our devices into mobile device management (MDM). We’re on the lookout for the best MDM based on the quality and breadth of their features and their usability. Today, we’re comparing the pioneer and most popular MDM platform: Jamf Pro, with a newer platform that was started in 2018: Kandji.
The interface
The Kandji interface showing the Devices module.
To start off, lets take a look at the Kandji interface. The Kandji interface includes these modules:
- Devices: this is where enrolled devices are stored.
- Blueprints: this is where you can group your devices.
- Library: this is where you can create bookmarks, custom apps, printers, profiles and scripts.
- Users: the user data is here, including users being pulled from an identity provider (IdP).
- Activity/Alerts: shows change management logs, along with any alerts on devices
- Add Devices: this is where you can go through the various enrollment options for the Kandji platform.
- Integrations: this is where you can integrate other Platforms into Kandji.
- Settings: for setting any global settings.
Devices
The devices section lists all of your devices enrolled in Kandji. In this section, users can:
- View a list of devices
- Filter devices based on certain criteria
- View details about a specific device
- View alerts and logs for the devices
- Add a user or an asset tag to a device
- See what Blueprint the device is part of
- Add notes to a device
- See what applications are on the device
Blueprints
Blueprints in Kandji
MacOS and iOS devices are sorted into groups called Blueprints, similar to Apple Configurator, and Jamf Now. Users set up Blueprints for each group of configurations that they want. All devices in a Blueprint will have the same applications, configuration profiles and settings for all the devices in that Blueprint.
Library
Library module in Kandji
This is where most of the heavy lifting is done on the platform. The Library section allows you to create things like packages and scripts to be deployed to devices through the Blueprints they are a part of. Through the Library, you can deploy:
- Profiles: preset configuration profiles
- Auto apps: applications that will install and update automatically
- Automated device enrollment: prestage enrollment profiles
- Liftoff: enrollment onboarding screens, similar to Jamf macOS onboarding
- Passport: user account synchronization with an identity provider, similar to Jamf Connect
- Bookmarks: web links in Kandji's application catalog
- Operating systems: specific operating systems that can be deployed to devices
- Custom apps: allows you to upload PKGs, DMGs and ZIP files
- Custom printers: printers that can be mapped through IP address
- Custom profiles: custom XML that can be deployed as a configuration profile
- Custom scripts: bash scripts run directly on the device
Users
User data is stored in the Users area. This will populate with any users that are assigned to devices in the Devices section. If you have an identity provider integrated, it will also populate with all the users from your identity provider. This is different from Jamf, where it only shows you the users that are assigned to devices, and not your entire LDAP directory.
Add devices
Adding a device to Kandji
Devices can be added in a number of ways through Kandji:
- Enrollment profile: you can download an enrollment profile directly to the device. This will put the device into a specific prestage.
- Enrollment link: you can provide a link for users to enroll their device.
- Apple Business Manager or Apple School Manager: the main way to enroll devices is through Apple School Manager or Apple Business Manager. This integration is set up in the Settings area, along with the Library area.
Integrations
Adding an integration
In the Integrations area you can add any of several Integrations through Kandji. This includes:
- Google Workspace Directory integration
- Azure Active Directory integration
- SCIM integration for other Identity Providers, including Okta
- Microsoft Teams webhooks integration, for sending alerts to Microsoft Teams
Settings
Settings module in Kandji
Lastly, we have Settings. Here, users can set a number of global settings, including:
- Setting your company name
- Creating the push certificate
- Apple Business Manager or Apple School Manager integration
- Self Service configuration
- API token creation
What we like
The best part about the Kandji platform is that it is visually appealing, modern and easy to use out of the box. Many of the Library Items are pre-built and can be deployed quickly and easily. Blueprints, although somewhat limited, are a very intuitive and easy way to set up groups that might otherwise be quite complex.
It has some amazing built-in features as well. Onboarding screens and password synchronization with an identity provider are easy to set up using Liftoff and Passport. Auto Apps allows easy deployment to and patch management of a large variety of Mac applications.
Operating Systems is a slick and easy way to update macOS across multiple operating systems and architecture types, something that would require detailed community scripts (Like Kevin White's S.U.P.E.R.M.A.N.) on an MDM platform like Jamf. Kandji even has an article explaining how these updates are pushed, depending on these variables:
How Kandji pushes OS updates on Mac computers with Intel chips
How Kandji pushes OS updates on Mac computers with Apple Silicon
Comparing to Jamf Pro
Comparing Kandji to Jamf Pro doesn't really seem fair… for either platform. Jamf can't compare to Kandj's simplicity and ease of use, but that simplicity comes at a cost, and that cost is limitations. Jamf has an incredibly large feature set that Kandji doesn't get close to matching. As someone who set up Jamf Pro in hundreds of environments, I know that many of the tools within Jamf Pro are only used by 10-20% of their clients, but for those clients that use them, those tools are essential to their workflows.
To understand the scale of these differences, I need to break this down a bit.
Interface. Let's start by just looking at components. I was able to show all of Kandji's entire interface in a short blog post, and it really only has nine sections. Jamf Pro has 75 components, just in settings alone. Overall, Jamf has over 100 components that drive its platform. I know this isn't a 1:1 comparison, but it shows the depth of what you can do in Jamf vs Kandji.
API. The Jamf API has orders of magnitude more commands available than Kandji’s API. To put this in perspective, Kandji has roughly 50 commands that can be sent through their platform, which are mostly composed of GET commands, it does not allow you to customize the platform much through their API. Jamf, on the other hand, has thousands of commands that can be sent using the classic and production APIs that they offer. This allows you to automate almost every component within Jamf Pro, which is a feature we use heavily at Rocketman Tech.
Criteria. While Kandji only offers 14 criteria for creating reports, Jamf Pro offers over 150 criteria (even more if you have extension attributes), allowing you to customize your reporting to fit your needs.
Smart Groups. Jamf Pro’s powerful Smart Groups go beyond Blueprints to group computers based on (very) specific or not-so-specific criteria — you have the choice.
Extension attributes. Extension attributes in Jamf Pro make it simple to gather all kinds of information from a device and use these for reporting or other actions. This way you can customize your admin experience based on how you work best.
Policies. While complex, policies give admins the power to customize the configuration of individual devices. This also means you can remove them from single devices for any reason. Devices don’t have to adhere to a single “master” configuration. This gives admins the ability to address any nuance required for businesses of all sizes and complexity.
CIS auditing. There's a lot that goes into CIS Benchmarks and security audits, and Kandji doesn't even come close to what we could consider base-level standards, much less the standards that Jamf sets. Although Jamf Pro doesn't natively offer any tools to assist with CIS benchmarking, tools like Jamf Protect offer powerful and complete CIS auditing, while Jamf Pro and Jamf Connect can help organizations meet these benchmarks with full customizability. Jamf Compliance Editor gives admins an easy way to establish and manage compliance baselines and is built on the foundations of the macOS Security Compliance Project hosted by NIST. Jamf Compliance Editor supports CIS, NIST and DISA STIG baselines and features with an easy-to-use interface that doesn’t require complicated scripting.
Onboarding. With Jamf Pro, it’s possible to create configurations exactly how you want them, including running cached packages. It’s simpler to create installation dependencies and change the order apps are downloaded in.
Key takeaways
So what's our conclusion? Kandji is a very well-built platform that is made to be simple, look good, and fit users within a certain type of management. However, if you have a larger environment with enterprise software or unique use cases, you may find Kandji either cumbersome or impossible to manage, depending on your workflows.
Kandji is built for a very narrow (but important) segment of the macOS administration world, and that is modern SMBs between 50-150 Apple devices, a lean IT team, and no more than 400 employees total. Like Jamf, it doesn't support Windows or Android, but even within the Apple world, it's not built for K-12 schools, large universities, large enterprises, managed service providers, high-security organizations, organizations with old infrastructure or anything outside of the norm.
And if we're being honest, it's difficult to compare Kandji to Jamf at all, because Kandji has one product, Kandji, that is very limited in scope compared to Jamf Pro. Jamf not only has Jamf Pro, but also Jamf Now— which is similar to Kandji. It also has Jamf School, which is built specifically for K-12 schools. It also has its security tools like Jamf Protect, Jamf Trust and Jamf Compliance Editor. It also has Jamf Connect, which is similar to Kandji's Passport, but with many more features.
And the best part about Jamf has always been the community behind it. The Jamf Nation User Conference is the largest and longest-running Apple admin conference in the world. Jamf Nation is the go-to place for many answers to common issues that Apple administrators have, from all types of backgrounds. And countless people have built utilities specifically for Jamf Pro that can't easily be used in other more limited platforms like Kandji. Rocketman Tech alone has created over 50 tools, many of which are open source, that are built specifically for Jamf Pro. You won't see service providers building tools like this for Kandji.
Watch the entire in-depth review.