Kandji

This article provides step-by-step instructions to implement the App Catalog using Kandji.

Requirements

• At least a Kandji account with Standard permissions

Configuration Profile

• A Configuration Profile is needed to activate and configure the App Catalog. There are two options:

  • Basic: Go to the App Catalog Customer Portal to get a Configuration Profile to get you started right away with basic settings including the Supporting Configuration Profiles

  • Custom: Read the documentation to create a custom (advanced) configuration profile to meet your requirements: Configuration Profile

• When your Configuration Profile is ready, login at your Kandji URL or using https://www.kandji.io/login/

• Go to Library -> Add new -> Custom profile

• Click Add & Configure

• Choose a name such as: App Catalog Configuration

• Optionally select a Blueprint to add the App Catalog to an existing Blueprint or do this later

• Make sure to only select Mac in the Install on field

• Select the .mobileconfig file containing your Configuration Profile

• Click Save

Supporting Configuration Profiles

To fully enable the App Catalog, some additional profiles are needed such as a Notifications payload, a Managed Login Item payload and PPPC.

Notifications

To automatically allow install and update notifications, you will need to deploy a Notifications profile. At this moment, Kandji does not have an option to create a native Notifications profile from the Library. A custom profile is required.

• Download the example Configuration Profile from here:

• Go to Library -> Add new -> Custom profile

• Click Add & Configure

• Choose a name such as: Notifications - App Catalog

• Optionally select a Blueprint to add the App Catalog to an existing Blueprint or do this later

• Make sure to only select Mac in the Install on field

• Select the .mobileconfig file

• Click Save

Managed Login Item

Create a Managed Login Item to make sure App Catalog background services cannot be disabled by the end user. Refer to the following page for more information:

• Go to Library -> Add new -> Login & Background Items

• Click Add & Configure

• Choose a name such as: Managed Login Item - App Catalog

• Optionally select a Blueprint to add the App Catalog to an existing Blueprint or do this later

• Click Add Background Item and fill in the information from Managed Login Item

• Click Save

PPPC

Create a Privacy Preference Policy Control profile to make sure the App Catalog has the neccessary permissions to install and update apps. Refer to the following page for more information:

• When your Configuration Profile is ready, go to Library -> Add new -> Privacy

• Click Add & Configure

• Choose a name such as: PPPC - App Catalog

• Optionally select a Blueprint to add the App Catalog to an existing Blueprint or do this later

• Fill in the information from App Management (PPPC). For App or Service, choose either SystemPolicyAllFiles or SystemPolicyAppBundles depending on your preference.

• Click Save

Installing Apps

To install apps, the Catalog Agent needs to be installed and called with the Bundle Identifier as described in Installing Apps and needs to be done in a small script. Kandji does not support the use of variables in Shell Scripts and therefore a separate script for every app you want to install is needed. Follow these steps to create and add an app installation script:

• Copy the app Bundle Identifier from https://portal.appcatalog.cloud/catalog

• Download the app icon from https://portal.appcatalog.cloud/catalog

• Go to Library -> Add new -> Custom Scripts

• Click Add & Configure

• Choose a name such as the name of the app

• Click on the icon next to the name and choose Add new icon to upload the app icon

• Optionally select a Blueprint to add the App Catalog to an existing Blueprint or do this later

• Set to Execution Frequency to your preference

• Obtain the installation location of the app, such as: /Applications/Google Chrome.app

• Add an Audit Script to check if the app was successfully installed. Make sure to change the app installation location:

#!/bin/zsh --no-rcs

# App location
app_location="/Applications/Google Chrome.app"

# Audit
if [[ -e "${app_location}" ]]; then
    echo "${app_location} is already installed"
    exit 0
else
    echo "${app_location} is not installed yet"
    exit 1
fi

• Add a Remediation Script to install the App Catalog (if not already installed) and the app

#!/bin/zsh --no-rcs

# Install App Catalog when not installed yet
if [[ ! -f "/usr/local/bin/catalog" ]]; then
    curl -sSL https://cdn.appcatalog.cloud/install_app_catalog.zsh | zsh
fi

# Install app
/usr/local/bin/catalog --install "com.google.Chrome"

• Click Save

Liftoff

If you use Kandji Liftoff to show an onboarding visualization, the app installs will also be shown.