Iru (formerly Kandji)

Strong SCEP support with AD CS Connector; integrates with Microsoft AD CS, GlobalSign, SecureW2.

.mobileconfig upload for Apple System Channel; limited Android via third-party app configs.

120+ one-click restrictions for Apple; full Declarative Device Management on iOS 16+; Android/Windows supported.

Custom profiles with global profile variables ($EMAIL) for personalized email configuration.

DDM-based passcode on iOS 16+; configurable gap 0 min to 8 hrs; password change frequency daily to biennially.

iOS per-app VPN via AppConfig supported. No per-app VPN on Android, Windows, or macOS.

Native VPN profiles via MDM; integrates with OpenVPN, NordVPN, Twingate, AWS VPN Client.

Enterprise Wi-Fi profiles with EAP-TLS support and trusted certificate integration.

Added post-Oct 2025 rebrand; supports Google zero-touch provisioning for bulk Android enrollment.

Core ADE capability with improved interface; supports Setup Assistant for Mac, iPhone, iPad, Apple TV, Vision Pro.

Leverages ADE, zero-touch, and Knox for bulk provisioning; supports staged rollout with test groups.

Assignment Maps and rules with Azure AD, Google Workspace, Okta integration for identity-driven enrollment.

Universal Enrollment Portal with unique URLs and codes; QR code scanning for Android and iOS.

No Knox ME documentation found. Samsung devices use standard Android zero-touch enrollment.

Self-service enrollment portal with BYOD blueprints; supports User Enrollment on Apple with privacy separation.

Windows Autopilot zero-touch provisioning supported with automatic policy and app deployment. Source: iru.com/resources/device-management/windows.

Restrictions profile with blocklist/allowlist; Auto Apps prevents unapproved use; app lock for maximum restriction.

Self Service app library; 200+ Auto Apps pre-packaged for Mac/Windows; VPP, Google Play distribution.

AppConfig XML dictionaries for app settings; strong iOS support, limited Android/macOS.

Full ABM Apps and Books integration; auto-converts unmanaged to managed apps; device-based licensing.

Added post-Oct 2025; Google Play deployment for Android with zero-touch app distribution.

App policy management; full iOS/iPad support, growing Android/Windows; container-based approach.

Auto Apps silently cache and install without user interruption; iOS apps deploy silently via MDM.

Windows Win32/LOB deployment; macOS supports .pkg custom app packages.

AI-powered compliance automation with adaptive evidence mapping; real-time compliance dashboards.

Third-party DLP integration (SURF Security); Iru EDR provides data protection; strongest on Mac/Windows.

FileVault on macOS fully documented. BitLocker referenced in general context but no dedicated support article found. iOS encryption native.

iOS Lost Mode with 15-min updates; conditional access geofencing; limited Android/Mac support.

iOS jailbreak detection documented. Android root detection confirmed; auto-blocks corporate access for rooted devices. Source: iru.com/resources/device-management/android.

EACS command for Apple; full device wipe for Android/Windows; Return to Service option on Apple.

iOS BYOD/User Enrollment separates data; Android work profile; macOS/Windows limited selective wipe.

Iru EDR for Mac/Windows with behavioral analysis; iOS/Android via third-party MTD APIs.

Visibility into outdated OS versions only; no direct update control. Android updates follow manufacturer schedules. Source: iru.com/resources/device-management/android.

macOS firmware managed via Apple OS updates. No Windows/Android firmware or driver management.

Managed OS with automatic enforcement or minimum version; supports deferral restrictions and countdown timer.

Flagship Managed OS for macOS; automatic enforcement, beta release control, 30-min countdown before forced install.

iOS Software Update Deferral restriction; macOS Managed OS with flexible deferral; Windows configurable periods.

Schedules quiet updates, prompts users, and enforces when needed; supports deferral and staged rollout.

Prism reporting provides app inventory; installed apps per device; analytics more limited than dedicated UEM.

Automated auditing for compliance; logs admin actions and device changes; Sumo Logic/SIEM integration.

AI-powered compliance automation; adaptive evidence mapping; audit-ready evidence collection.

Prism reports with custom filtering and detailed reporting across device status, compliance, ops.

Consolidated device view with quick filtering, exports, and searchable attributes.

Real-time compliance dashboards; device check-in status; real-time threat alerts from EDR.

Custom Scripts Library executes as root on macOS; Windows agent supports scripts; iOS/Android limited.

Restart with configurable countdown (default 30 min); force restart option; all platforms supported.

Lock Device generates 6-digit PIN; supported on all platforms; immediate execution.

Native VNC on macOS; iOS Lost Mode location view; third-party integrations (TeamViewer, Splashtop).

Kandji Agent CLI on macOS; Custom Script Library for root-level execution; Windows limited.

Erase Device action; EACS for Apple, Return to Service option; full wipe for Android/Windows.

Assignment Rules target by device type (iPhone, iPad, Mac, Windows, Android).

Tags with Assignment Rules and Maps enable conditional policy targeting; visual conditional logic.

Geofencing via conditional access; location-based assignment; network-based targeting through policy conditions.

Multi-value tag system used with Assignment Rules/Maps; organization-wide targeting mechanism.

Directory integration enables centralized user-based assignment with automatic device assignment.

SCIM sync for user/group objects; native OIDC and SAML SSO; Passport for Mac login.

Assignment Maps provide conditional logic; Azure AD conditional access integration; location/network targeting.

Full SCIM directory integration with 4-hour sync cycles; Passport supports Google Workspace SAML auth.

SAML integration with Okta; Passport OIDC; 23 Okta Workflows connector cards for automation.

AD CS Connector for certificates; no direct LDAP; primarily through cloud directory sync.

Both SAML and OIDC supported for console and Passport; native Azure AD, Okta, Google integrations.

150+ pre-built automations; Okta Workflows with 23 connector cards; Assignment Rules/Maps for policy automation.

REST API enables custom connectors; Unified.to and Workato pre-built integration patterns.

Comprehensive REST API (10,000 req/hr rate limit); full CRUD on devices and policies.

Native ServiceNow integration via Import Set API; real-time device inventory sync; CMDB mapping.

Sumo Logic integration; audit logs exportable for SIEM ingestion; EDR threat event logging.

Webhooks for instant updates; event-driven automation with third-party platform integration.