# Kandji SureCloud connects to Kandji to retrieve Apple device inventory, MDM enrolment status, compliance blueprint assignments, and security configuration state. This allows SureCloud to confirm that macOS, iOS, and iPadOS devices are enrolled in Kandji, assigned to appropriate compliance blueprints, and meeting security requirements such as FileVault encryption, Gatekeeper enforcement, and screen lock configuration. ## Authentication and setup Kandji authenticates API requests using an API token. SureCloud uses a read-only API token generated within your Kandji tenant. {% stepper %} {% step %} **Generate an API token in Kandji** Log in to your Kandji tenant at `https://.kandji.io`. Navigate to **Settings → Access → API Token** and click **Generate Token**. Give it a name such as `SureCloud CCM`. Copy the token — it is only displayed once. {% endstep %} {% step %} **Note your Kandji API base URL** Your Kandji API base URL follows the pattern `https://.api.kandji.io`. This is your subdomain from the Kandji console URL. You will need this when configuring the connection in SureCloud. {% endstep %} {% step %} **Enter the credentials in SureCloud** Navigate to **SureCloud → Integrations → Kandji → Connect**. Enter your Kandji API base URL and paste the API token. Click **Save** and then **Test Connection**. {% endstep %} {% endstepper %} {% hint style="warning" %} Store the API token securely after copying it. SureCloud encrypts it at rest, but treat it as a sensitive credential. Rotate it every 90 days in **Kandji → Settings → Access → API Token** and update it in **SureCloud → Integrations → Kandji → Edit Connection**. {% endhint %} ## Endpoints | API Call | Use Case | | ----------------------------------------- | ------------------------------------------------------------------------------------------- | | `GET /api/v1/devices` | Enumerate all enrolled devices including platform, model, MDM status, and blueprint | | `GET /api/v1/devices/{device_id}` | Retrieve individual device detail including OS version and last MDM check-in | | `GET /api/v1/devices/{device_id}/details` | Retrieve detailed device security posture including FileVault status and Gatekeeper setting | | `GET /api/v1/blueprints` | List Kandji blueprints to confirm compliance configuration scope | | `GET /api/v1/library/library-items` | Enumerate library items (profiles, scripts, apps) deployed via Kandji | | `GET /api/v1/devices/{device_id}/apps` | Retrieve installed applications on a device for software inventory evidence | ## Pagination `GET /api/v1/devices` returns up to 300 devices per page. SureCloud uses the `next` link from the response to retrieve subsequent pages until no `next` link is present. ```json GET /api/v1/devices?limit=300&offset=300 ``` `GET /api/v1/blueprints` and `GET /api/v1/library/library-items` return complete result sets in a single response for most tenant sizes. ## Required permissions Kandji API tokens are account-scoped and provide read-only access to device and configuration data by default. No special elevation or additional permissions are required beyond standard API token generation. The token requires access to: * Device inventory and details (read) * Blueprint configuration (read) * Library items (read) * Application inventory (read) ## Polling frequency | Data Type | Interval | | ----------------------------------------------- | -------------- | | Device inventory and MDM enrolment status | Every 24 hours | | Device security posture (FileVault, Gatekeeper) | Every 24 hours | | Blueprint assignments | Every 24 hours | | Installed application inventory | Every 24 hours | ## Troubleshooting
Connection test returns 401 Unauthorized The API token is invalid, has been regenerated, or the wrong API base URL is configured. Confirm the token is still active in **Kandji → Settings → Access → API Token**. Verify the base URL matches your Kandji subdomain (format: `https://.api.kandji.io`). Update the credentials in **SureCloud → Integrations → Kandji → Edit Connection**.
Some devices are missing from SureCloud despite being enrolled in Kandji Devices that are MDM-enrolled but have not yet checked in — for example, newly provisioned devices awaiting user activation — may not appear in all endpoint detail calls. SureCloud collects the full device list from `GET /api/v1/devices` which includes all enrolled records regardless of check-in recency. If specific devices are absent, confirm they appear in the Kandji console under **Devices** and check their MDM status.
FileVault or Gatekeeper status is not appearing in SureCloud Security posture details are returned from `GET /api/v1/devices/{id}/details` and require the device to have reported its status to Kandji via MDM. If a device has not checked in recently, its security detail data may be stale or absent. Review device check-in times in the Kandji console to identify devices that may need MDM re-enrolment or agent updates.
API base URL returns a connection error Kandji's API subdomain must match the subdomain in your Kandji console URL exactly. For example, if your console is `https://acme.kandji.io`, the API base URL is `https://acme.api.kandji.io`. A common error is using the console URL directly as the API URL — these are different hostnames. Correct the base URL in **SureCloud → Integrations → Kandji → Edit Connection**.
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/kandji.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.