Skip to main content

Admin Dashboard

KANDJI - macOS Configuration Guide

The following contains procedures for configuring KANDJI for macOS.

Prerequisites

The following are required for deployment.

  • BlocksiForOSX.pkg application. The app package file is downloaded together with these instructions.

  • Custom Postinstall script. The script is downloaded with these instructions. Filename is: post_install_script.sh.

  • Custom DNS Proxy .mobileconfig profile. The profile is downloaded together with these instructions. Filename is: Blocksi For OSX - DNS Proxy custom profile.mobileconfig.

  • LDAP users and OUs need to be synced with Blocksi.

    • This is done with the Blocksi AD Synchronization app.

    • The app needs to be installed and configured on your LDAP server.

    • You can download the instructions and the app from the Downloads window on the Blocksi Admin dashboard. The download section is located under Profile > Downloads.

  • Filtering policy created on BM Admin Dashboard and assigned to LDAP OU. Once the LDAP OUs and Users are synced with Blocksi, you need to create some filtering policies and assign them to LDAP OUs.

  • On Kanji MDM: Have macOS devices already enrolled to your Kanji dashboard.

Adding a Custom App

To add a custom app

  1. Access the Library in the Kandji portal and press the + Add New button to add a new item.

  2. Search for Custom Apps.

  3. Click Custom Apps and then Add & Configure.

    Add Library Item

  4. Enter a name for the app in the Add a title text field. For example: Blocksi For OSX.

  5. Leave the Blueprint empty for now under Assignments.

  6. Click the + Add button next to the Rules text. This opens an Assignment Rules interaction to allow you to create the rules.

  7. Configure the Assignment Rules, as necessary. For example:

    • Select OS version in the Select input drop-down list.

    • Select is greater than from the 3rd drop-down list.

    • Type 12.5 in the Value field.

    • Click Confirm. The window should look like this:

      Assignment Rules

  8. Select Install once per device under Installation in the Settings section.

  9. Click the toggle next to the Not available in Self Service text to enable Self Service under Self Service in the Settings section.

    Before:

    Self Service

    After:

    Self Service 1

  10. Select Apps for Category.

  11. Customize the rest of the settings, if necessary.

  12. Select the Installer Package option in the Install Details section and click the click to upload link and upload the BlocksiForOSX.pkg file.

  13. Add a Postinstall Script:

    • Modify and type the contents of provided post_install_script.sh file, or

    • Modify and type the following text in the Postinstall script text area:

      Post Install Script

    Note

    Replace admin@blocksi-super-admin.com value with your school super-admin email.

    Note

    Replace XXX.XXX.XXX:XX with your local network AD server IP address. For example, 10.11.11.11:53.

    When you have finished, the script should look like this:

    Post Install Script 1

  14. Select the Restart after successful install checkbox.

  15. Click Save.

Adding the System Extension

To add the system extension

  1. Access the Library in the Kandji portal and press the + Add New button to add a new item.

  2. Search for System Extension.

  3. Click System Extension and then Add & Configure. The following window opens.

    Add Title

  4. Type a name for the script In the Add a title field. For example, System Extensions for Blocksi.

  5. Leave the Blueprint empty for now under Assignments.

  6. Click the + Add button next to the Rules text. This opens an Assignment Rules interaction to allow you to create the rules.

  7. Configure the Assignment Rules, as necessary. For example:

    • Select OS version in the Select input drop-down list.\

    • Select is greater than from the 3rd drop-down list.

    • Type 12.5 in the Value field.

    • Click Confirm. The window should look like this:

      Assignment Rules 1

  8. Configure the Settings section as follows:

    • General: Clear Allow users to approve system extensions.

    • Team ID: FNVRG3YPHU

    • Name: (Optional)

    • System Extensions:

      • Allow specific system extensions

      • Click Add More to add the next allowed system extension: com.blocksi.filteringosx.proxyext.

      • Name: Blocksi System Extension

  9. When you have finished, you should see the following configuration:

    Advanced System Extension

  10. Click Save.

Creating a Custom Configuration Profile

To create a custom configuration profile

Due to the requirements of macOS Ventura (and above), the Blocksi For OSX app requires the addition of 1 profile called DNS Proxy that can be pushed through Kandji from the Configuration Profiles section. To have them deployed, follow the steps below.

  1. Access the Library in the Kandji portal and press the + Add New button to add a new profile by searching and selecting Custom Profile.

  2. Click Add & Configure. This opens a Custom Profile interaction to allow you to configure the profile.

  3. Type a name for the custom profile in the Add a title field. For example, Blocksi for OSX - DNS Proxy custom profile.

  4. Leave the Blueprint empty for now under Assignments.

  5. Select Mac in the Install on section.

  6. Configure the Assignment Rules, as necessary. For example:

    • Select OS version in the Select input drop-down list.

    • Select is greater than from the 3rd drop-down list.

    • Type 12.5 in the Value field.

    • Click Confirm. The window should look like this:

      Assignment Rules 2

  7. The Assignment section should look like this after it is configured:

    Assignment Section

  8. Scroll to the bottom of the page, and browse for the Blocksi For OSX - DNS Proxy custom profile.mobileconfig file in the Profile Details section and click Upload.

    Profile Details 1

  9. After the upload finishes, the XML Preview should look like this:

    Profile Details

  10. Click Save to save the profile settings.

Creating a Blueprint

To create a blueprint

Blueprints are used to configure app deployments and requirements.

  1. Click Blueprints in the left menu on the Kandji dashboard. A list of created Blueprints appears.

  2. Click + New Blueprint in the upper right-hand corner of the page to create a new Blueprint. This opens a Blueprint interaction to allow you to configure the settings.

  3. Choose from one of the Blueprint templates on the left-hand side or create a New Blueprint by selecting start from scratch.

    Blueprint Screen

  4. Give the blueprint a name. For example, Blueprint - Blocksi for OSX settings.

  5. Click the Create Blueprint button.

  6. Click Enable Library Items.

    Blueprint Library Items

  7. Add the previously created Library items:

    • Custom App

    • System Extension

    • Custom Profile

  8. Enable them by clicking the toggle button.

    Blueprint Library Items 1

  9. Click the Save Library Items button.

    The deployment configuration is now complete. All that is needed now is to enroll a device, assign it to the created Blueprint, and verify if the configuration is correctly installed.

Enrolling Devices to Kandji

To enroll devices to Kandji

If you don’t have any devices enrolled on Kandji, here is an example of how to enroll them.

  1. Navigate to Settings > Apple Integrations.

  2. Configure Automated Device Enrollment.

  3. Follow instructions to add the MDM configuration on business.apple.com or school.apple.com.

To enroll the device

  1. Navigate to the Devices menu on Kandji.

  2. Click Add A Device.

  3. Follow the instructions to enroll the device.

  4. Enroll the device using the correct enrollment code for the Blueprint created in the previous steps.

  5. Do this for every device you want to enroll.

Troubleshooting

To test the configuration

  1. Make sure you configure the AD bind to the Mac device on the enrolled device so that you can login with AD users.

  2. Login with a user to a device and wait for the MDM configuration blueprints to install.

    Note

    It can take anywhere up to 30 minutes for all items to install.

  3. Wait for 30 minutes for the auto-restart of the device or trigger it manually.

  4. Log in with an AD user account that has the OSX filtering policy assigned on the LDAP OU after the restart.

To verify Blueprint and app installation

You should see a filter icon in the upper right-hand corner of the screen when you log in to the device. This is the Blocksi for OSX app agent.

  1. Open System Settings and go to Network > Filters.

  2. Make sure that the Blocksi Filter is Enabled.

    Filters Proxies

  3. Verify Blueprint installation on Kandji:

  4. On Kandji, navigate to Devices and click on the target device.

  5. For each item in the Status tab, check that their status is either Pass or Success.

    Status Tab

  6. Expand the Blocksi for OSX column and verify that the Postinstall script exited with success.

    Last Audit

    At the end of the log transcript, you should also see the log Post-Install Script successfully executed.

To verify filtering

  1. Login to the Mac device with an LDAP user.

  2. Open a browser to see if filtering is applied correctly.

  3. Navigate to some sites that you either blocked with the Web filter or Exception List.

  4. You should be displayed with one of the following screens on blocked sites:

    Access Denied Screen
    Connection Not Private

  5. On the Blocksi Admin dashboard, navigate to Web Analytics > Insights and go to Logs. Verify that the user browsing done on the Mac Device is showing in the logs.