The Good, Bad and Terrible of Kandji

Who is Kandji for Really?

Kandji (https://www.kandji.io) is best described as a product that works well for anyone who has to manage Apple devices, but doesn't want to become an expert in Apple administration. The product is very limited in what you can do outside of the options in the interface. I have had the opportunity to use Kandji with their free 21 day trial.

Keep in mind: the following are my views only. I am not managing a large fleet with the product. I did not look at any of the non-Mac management features. I also love tools that have powerful flexible feature sets–so anything that is bound up with a rigid interface and minimal power features is not going to be my cup of tea. This article is very much the perspective of a long-time Apple administrator/engineer and Jamf user who is fascinated by how things work.

What it Does Well

• Simple setup: without reading the manual and with minimal knowledge you can get the instance setup in under 20 minutes.
• If you have basic needs, then the prebuilt applications, configurations, and simplified workflows will make it easy to go from no management to full management in a matter of days/weeks. (It's not going to be best-in-class, but it will be a lot better than what you will get from someone who doesn't know anything about Apple product management.)
• The OS update experience is very smooth and polished. The notifications have the standard limitations of what I assume is declarative management at work.
• The application installs are fast and easy–at least for smaller apps. The pre-built applications seem to be products of AutoPKG or similar–perhaps with some custom code around it. Nothing very special in their production, or good/bad to say about their installation experience.
• The actual agent product seems well-built–and uses modern Swift coding. The design seems similar to Jamf in structure, but without any obvious Keychain items that I could find.
• It holds your hand and pushes you towards reasonable standards.
• Easy access to compliance standards such as CIS and STIG.

What it Does Poorly

• Provide any sort of power features such as robust script engines or custom packages.
• It doesn't seem to have any sort of custom attributes to speak of–so you have to rely on what they give you.
• The reporting features are very weak. Prism is a very limited reporting engine–made worse by the lack of custom attributes. Honestly you'd likely need to add some other tools to get good reporting–maybe Wazuh or similar.
• The local agent is not as powerful as for example Jamf–in terms of being able to interact with the server. It is exactly what you'd imagine if you stripped Jamf down and tried to make it easier to use by primarily taking away features.
• The implementation of many things such as package installs and scripts is very similar to Jamf with it downloading and running files, but the way in which that works is a bit different–details-wise.
• It tends to feel like the genesis of the product was macOS Server and a bunch of scripts to enhance the management features–which then evolved.
• The attempt to provide "grouping" functionality in the limited blueprint paradigm is pretty poor and, isn't even close to the power you get with something like Jamf smart groups–even with all of their limitations.
• As an EDR product–don't kid yourself. You will still need something else. The idea that a Mac-only EDR has any business existing is a bit comic. If you decide to use the EDR it uses Apple's endpoint security framework. The tool does a reasonable job finding threats and dealing with them assuming you have it configured to quarantine threats–otherwise you get alerts. It will NOT detect anything that isn't a #Mac threat.
• The onboarding experience is a hampered version of something like a DEPNotify or whatever the current equivalent is.
• Custom PKGs are limited to 5GBs or less–so you will have "fun" installing Xcode or other large packages.

Pricing

For details on pricing, you should speak to a Kandji salesperson. However, from my perspective, it's a pricey product for what it is. Keep in mind my value matrix is not the value matrix that is behind Kandji's design. Kandji is designed for those who want a simple administration experience not requiring too much-specialized knowledge of Apple products. I don't think Kandji is the most expensive game in town, but it certainly is up there depending on how small the deployment is.

To give you a sense if you buy the minimum number of device seats (25) for one year and only #Macs you will be paying for just MDM $2400/year. With the EDR option: $4200/year. If you consider this in the context of a small business looking to have a part-time on-staff IT person this isn't too bad. Consider how many IT shops don't really do Apple. Also, consider how much good IT services cost. When you consider the sunk cost of your already there person and add Kandji on top you have a compelling deal for the right sort of person and business.

Also for those of you asking what about #Jamf NOW or some other product–well I am not talking about that. However, Kandji is far more powerful than Jamf NOW. Jamf NOW comes in at $4/device/month–which while cheaper is an even worse set of trade-offs.

If we flip the scenario and look at a large enterprise with complex needs, then the picture is not so great. Kandji becomes an overly encumbered tool that isn't cheap enough to be worth putting up with the compromises. Consider the 1000 device price point for 1 year with just MDM: $67,200 and with EDR: $117,600. If you compare this to Jamf for business you'd pay close to $172,000 for the same situation–however, Jamf is a far more robust product with a more robust feature set capable of handling complex needs–which at ~31% more I view as good use of money even factoring in the need for higher skill expensive staff to get those benefits.

Closing Thoughts

Kandji is definitely not for me. If you are a seasoned #Apple product administrator this is likely not going to be for you either. The best fit I can think of is a small to medium business with a part-time IT person and only Apple products. In that case, this product is just right. You can do a decent job managing your Apple products with very little knowledge or need to read the manual.

However, for anyone with real Apple product administration experience, or complex needs this product is probably best left on the shelf. To me, it is a bit of a sign of the end times for Apple admins. The product is so limited and makes doing anything custom so arduous as to beg the question in any C-level executive's mind: why do I need to pay for an Apple Expert when I can get someone less expensive and have a product like #Kandji make up the difference? This is faulty reasoning, but a trap that many businesses may fall into.

Kandji is a mixed bag–for sure. I have only used it for the trial and not with a large fleet. If you disagree feel free to tell me how wrong I am. However, as a long-time Apple product administrator and enthusiast of powerful tools and flexible solutions, I am running away from this tool–right now!