Appendix C - Kandji

Use Kandji to deploy Workforce AI Security components to managed macOS devices.

Kandji supports multiple deployment scenarios.

For more information about Workforce AI Security connection to external systems, see External System Connections.

Deploying AI Security Client

In this scenario, you use Kandji to deploy full endpoint protection.

To deploy the client:

  1. Download CheckPoint_Installer.zip as described in Downloads.

  2. Unzip the file.

  3. Open a terminal and run:

    ./TinyGenAI.app/Contents/MacOS/EPTinyGenAI --gen-mdm-script

  4. Use the generated script gen_genai_protect_installer_script.sh for the deployment.

  5. Log in to the Iru portal (https://www.iru.com/login).

  6. Go to Library.

  7. Click + Add library item.

  8. Select Custom Script.

  9. Paste the script content into the script editor.

  10. Click Save.

  11. Go to Blueprints.

  12. Assign the script to the required blueprint.

  13. Save the configuration.

  14. Return to Library and monitor deployment status.

Deploying the Fleet Scan Script

Deploy the Agentic Endpoint Scanner fleet scan script to managed macOS devices with Kandji.

Supported platforms: macOS

Prerequisites

  • Download the macOS fleet scan script from Workforce > Deployment > Downloads.

  • Make sure you have administrative access to Kandji.

To deploy the fleet scan script:

  1. Log in to the Kandji dashboard.

  2. Go to Library.

  3. Click + Add library item.

  4. Select Custom Script > Add and configure.

  5. Configure the script:

    1. Enter a title (for example, Agentic Endpoint Discovery).

    2. Select the blueprint for the endpoints where you want the scan script to run.

    3. Set the frequency to Run daily.

    4. Copy the fleet scan script content into the Audit Script box.

    5. Save and deploy to your target macOS devices.

User & Device Sync

Connect Kandji to Workforce AI Security to synchronize Apple devices and users.

Creating an API Token

  1. Log in to Kandji and go to Settings > Access > API Token.

  2. Click Add API Token and enter a descriptive name.

  3. Click Create Token. Copy the displayed token immediately and store it securely. The token is not shown again.

  4. Make sure these permissions are enabled for the token:

    Category

    Permissions

    Users

    List users

    Devices

    Device details, Device list, Application list

Connecting in the Portal

  1. In the Workforce AI Security portal, go to Settings > User & Device Sync.

  2. Expand Kadji.

  3. Enter the API URL and API Key.

  4. Click Save.