Kandji Configuration


Twingate integrates with Kandji so that admins can set it as a requirement to sign in to Twingate or access private Resources. When Kandji is selected as a trust method within Device Security, it can be incorporated into Security Policies. Only macOS devices that are verified through the Kandji integration will be considered to satisfy the Trusted Profile and be allowed to access private Resources.

How it works

Twingate integrates with Kandji by using the Kandji API to pull a list of devices managed under the configured tenant. The Twingate Client returns the device serial number and matches it to the list of serial numbers from Kandji. Devices are considered Kandji-verified if they meet the following requirements:

  • Its serial number is returned by Kandji
  • Has reported to Kandji within the past 7 days
  • Has the Kandji agent installed
  • Has an MDM profile installed
  • Has not been removed from Kandji

Generate an API Key

  • In the Kandji web app, open Settings in the left panel
  • Click on Access in the top bar
  • Scroll down to API Token and select Add Token
  • Type a Name and Description for your token
  • Save your API token. You’ll need it later

Configure the API Token

  • When the Manage API Permissions modal pops up, click on Configure
  • Under Devices, select Device details and Device list

Configuring the Kandji integration in Twingate

1. In Twingate, navigate to Settings and then select Device Integration

2. Select Connect next to Kandji and input your Kandji credentials.

Enter your Kandji URL with the format <subdomain>.clients.<region>.kandji.io

3. After the integration is configured, the Device Integrations page will show the current status of the integration

Incorporating Kandji into Security Policies

After the Kandji integration has been set up, it can be configured into Device Security Trusted Profiles.

For macOS, create a Trusted Profile and require Kandji as a Trust Method. Only devices considered Kandji-verified will satisfy the requirements of this Trusted Profile. This Trusted Profile can now be incorporated into Security Policies.


After the Kandji integration is set up, the Device Integrations page will show the status as “Waiting to sync”. During this time, devices may be missing the correct Kandji verification state. After a few minutes, the Device Integration page will show the most recent sync time, and devices will correctly show their state on their device details page.

A device can be listed as Kandji not verified for the following reasons:

  • The device is not managed by Kandji
  • The device has not reported back to Kandji within the past 7 days
  • The Kandji agent has been uninstalled from the device
  • The device does not have an MDM profile installed
  • The device has been removed from Kandji

In the case of a recoverable error (e.g. the Kandji API is unresponsive), the Kandji integration will show that it has failed to sync and indicate the time of the last successful sync. The Device Integrations page will reflect the time of the last successful sync. When we are able to reach the Kandji API, the errors will be resolved automatically.

In the case of an unrecoverable error (e.g. the Kandji credentials are no longer valid, is deleted, or the permissions have been altered), the Kandji integration will stop attempting to connect. Admins will be notified via email that the Kandji integration needs attention. For these errors, we recommend reconfiguring the integration and inputting new API client information.

Last updated 4 months ago