Set up the Kandji integration and get all the insights in Torii's dashboard
Overview
Torii integrates with Kandji and syncs:
User Fields | License Types |
---|---|
Users | Mac |
Licenses | IPhone |
Status in app | IPad |
AppleTV |
Torii supports multiple Kandji accounts.
Additionally, Kandji discovers all installed apps on your company's devices as well as which users have these apps installed.
You will also be able to take and automate the following actions:
- Lock Kandji user's devices
- Erase Kandji user's devices
- Delete Kandji user's devices
Please note: we only display information on devices that are attributed to users.
You can constantly be updated with application information from our Integrations Page >> Integration Capabilities button >> Integration Capabilities table
Requirements
Accounts & permissions
- Make sure you have a Kandji Account and an admin user with access to users and applications.
Scopes
- Torii requests the minimum required scopes to support syncing all required data.
- Torii requires the following scopes to connect to get full user & license data from the integration:
- Applications - “GET /api/v1/prism/apps”
- Device list - “GET /api/v1/devices”
- To run actions in Kandji via Torii, additional permissions are required:
- "Read and take action" permissions when connecting the integration.
- Lock Kandji user's devices -
- "POST /api/v1/devices/{device_id}/action/lock"
- "GET /api/v1/devices/{device_id}/secrets/unlockpin"
- Erase Kandji user's devices -
- "POST /api/v1/devices/{device_id}/action/erase"
- "GET /api/v1/devices/{device_id}/secrets/unlockpin"
- Delete Kandji user's devices - "DELETE /api/v1/devices/{device_id}"
Connect the Kandji Integration
- Generate an API token in Kandji. To do so, log in to Kandji, and them go to Settings > Access
- Scroll down to API Token and click Add API Token to create a new API key.
- Enter Torii as the name, and a brief description.
- Click Create:
- Take a copy of the token and click Next.
- Click Configure to set the permissions.
The token needs the following endpoint permissions enabled:
- Applications - “/api/v1/prism/apps”
- Device list - “/api/v1/devices”
- When you are done, click Save
- You will then be shown your API URL which you will also need to enter into Torii:
- Now, connect the Kandji integration in Torii using the API URL and API token you've generated. Go to the Integrations page and click on the "Kandji" tile
- Connect to Kandji.
- In the integration connection popup, enter the API URL and API token, and click Connect.
- Once the integration is connected and synced, it will display a green checkbox.
Q&A
Q: Are there any desktop apps that Torii does not discover that can be found in Kandji?
A: Torii will discover all desktop apps as reported by Kandji with the exception of:
- Apps that include the word "helper"
- Apps that include the word "updater"
Q: Why is Torii presenting more apps discovered via Kandji than I am seeing in Kandji UI
A: The Kandji web interface shows only apps in the /applications and /system/applications folders - which is where apps are usually installed in MacOS. However, an application can be run from anywhere: if you download a .app
you may save it anywhere and it will usually run. It is even possible that there are apps running that will not appear in the users' Launchpad (usually if they are not in the directories listed above).
Via the Kandji integration, Torii can provide information on apps such as described above, which do not normally appear in the Kandji interface. We believe that knowing about these apps can be helpful to discover Shadow IT or unwanted apps installed and running in your organization's computers. Torii provides you this additional insight and provides you this enhanced discovery to make sure you are in full control.
Q: I've run the "Lock Kandji user's devices" action. Where can I find the PIN to unlock the user's devices?
A: After locking or erasing, the PIN number will be available in the workflow action details.
Q: What happens if I run the Kandji actions but the device is offline at the time they ran?
A: If a device doesn't have an internet connection, the erase and lock actions will be executed once the connection is re-established. The delete action does not require an internet connection to run, but the Kandji application will only be removed from the device once it has an internet connection.