Having secure devices plays a major role in meeting compliance requirements. We want to support as many Mobile Device Management solutions (MDMs) as possible, in addition to providing our agent. We have heard from many of you that you use Kandji for macOS. This article goes over how to sync and bring all of your compliance-related information from Kandji to Drata.
Prerequisites
Make sure you have admin access to your company's Kandji account.
Your Kandji account has access to Kandji APIs (available for accounts with 500+ devices or can be purchased separately - learn more).
We currently support computers. Mobile and tablet devices are not supported.
Kandji is currently available only for macOS
Only one configuration source per machine will be read, with the Drata agent taking precedence.
Kandji cannot natively pick up browser extensions, so if those are being used as a password manager, that compliance check will fail. Your users will need to use the equivalent installed desktop application. Ensure that this app shows on the device's Application List.
Drata’s device compliance checks that use the Kandji connection confirm the following:
Does the policy of the required name and/or type exist?
Is that policy mapped to the device?
Is that device compliant with that policy?
Step 1. Configure Kandji Blueprints - Templates
To use Kandji, you need to ensure that your devices have been enrolled with the app and you have configured blueprints. To learn more about Kandji Blueprints, please follow these instructions. We recommend using Level 1 from Kandji’s templates since it has all the required compliance components except for the screen saver. To add the screen saver, please follow these steps:
Click on the Kandji Level 1 blueprint:
Click on the Edit Library button:
Enable the Screen Saver toggle and save your changes:
Step 1A. Configure Kandji Blueprints - Custom
If you prefer to use your own blueprints, make sure the following library items are configured. You must include the indicated keywords in the blueprint name:
FileVault(This ensures that the device disk is encrypted)Firewall(Ensuring to restrict external connections)Passcode(This ensures that devices are password protected)Screen Saver(Ensures requiring password if user is inactive)Software Update(Manage automatic update settings)
Step 2. Configure Kandji API
In the next step, you will be setting up an API Token with the following permissions.
Device details (Get the full details for a specific device).
Device list (Get a list of all devices in the Kandji instance).
Application list (List all installed applications for a specific device).
Device library items (Get library items for the device).
To set up an API token, go to Settings > Access > API Token. There are three parts to this step:
Copy and modify your Kandji API URL
Create and copy your API Token
Set the API token's permissions
Step 2A. Copy and modify your Kandji API URL
In this API Token page, you will see your organization’s API URL, which is needed when connecting to Drata. In the example screenshot above, the raw URL provided by Kandji is dratanfr.api.kandji.io. However, Kandji requires additional syntax to make successful API calls. Using this example URL, the format you enter into the Drata connection drawer should be https://dratanfr.api.kandji.io/api/v1/. Note the following additions to the URL syntax:
https://is prepended/api/v1/is appended
Drata will show an error if the provided syntax is not correct.
Note: If you are an EU Kandji customer, your example API URL would be dratanfr.api.eu.kandji.io. That is, eu will come after api. and before .kandji in your specific URL. You must still make the two required syntax changes before entering your URL into the Drata connection drawer.
Step 2B. Create and copy your API token
When you click on Add Token, you will see the screen below. Add a name and description for your token and click on Create.
Copy your token and click on Next. You will not be able to view this API token again.
Note: You will need this token along with the API URL when connecting to Drata so please make sure to copy the token and click on Next.
In the next step, we are going to add the required access permissions to your token.
Step 2C. Set the API token's permissions
Make sure that the following permissions are granted to the token you will be using.
Device details
Device list
Application list
Device Library items
Once you click Save, you will be able to verify the proper set up in the next screen.
Step 3. Connect your User Directory
Your Kandji account should be connected to a user directory. This feature can be accessed under Settings > Integrations > User Directory. It is important to use the same account as the identity provider (IdP) used in Drata (Google, Okta, Microsoft 365) to ensure users are synced between Kandji and Drata. If your Drata IdP is not available in Kandji, ensure the email addresses in your Kandji user directory match exactly to the ones in your Drata IdP.
Step 4. Connect Kandji to Drata
Click 'Connections' from the menu.
Select Available Connections tabs and search for Kandji. Then select the Connect button for the Kandji integration.
Enter the API URL and API token created above in Step 2. For the API URL, ensure you enter the full URL format as shown in the example text below. It should have https:// prepended, and /api/v1/ appended.
Enter the Kandji account details and click Save & Test Connection.
Step 5. Enable Kandji and Verify Connection
Navigate to your name in the lower left, then select Settings.
On the Settings page, select Internal Security. On this page, under the Workstation configuration monitoring, enable Automated via Kandji MDM and dis-enable Automated via Drata Agent to disable the Drata agent.
Note: If both remain on, and the Drata agent is installed on an employee computer, the Drata agent will take precedence; meaning, employee compliance checks will come from the agent.
Your Kandji setup is complete! Drata will fetch data from Kandji on a daily basis once Autopilot completes running.