search

Nightfall macOS Agent Deployment: Iru (Kandji) MDM

This document explains the process of installing Nightfall AI agent using the Kandji MDM.

circle-info

The Kandji MDM has now been rebranded as Iru.

hashtag
Prerequisites

  • You are a Systems Administrator in Nightfall

  • You have administrator access to Kandji

  • The Kandji APN is set.

  • The target macOS devices are onboarded.

  • On your Nightfall console, navigate to https://app.nightfall.ai/endpointarrow-up-right and click the Download Package button on the top right corner of the page. Click Download Package for macOS and unpack the contents of the downloaded file.

circle-info

To install the Nightfall agent in stealth mode (without notifying the end-user), see Install Nightfall AI Agent for MAC OS.

mdm_pre_installation_script.sh

The script is used by MDMs to ensure that a macOS machine is in a clean state before installing the Nightfall Agent. It wipes any existing Nightfall installation and prepares a clean environment for a new install, including:

  • Loading API keys

  • Rebuilding folders

  • Resetting launch daemons

NightfallAI_Profile_with_Browser_Extension.mobileconfig

This profile is designed to pre-authorize and enable what the Nightfall Endpoint Agent requires on a macOS machine without needing user prompts.

  • Silently installs/enables the Nightfall browser extension

  • Allows the extension to run without prompts

  • Authorizes required permissions (content inspection, file uploads, scanning)

  • Grants macOS Privacy Permissions required by Nightfall:

    • Full Disk Access (FDA)

    • System Events/Automation Permissions

    • Application Control Permissions

  • Configures the payloads for browser + system integration

  • Prevents users from tampering with the security controls

hashtag
Connect Iru (Kandji) to Nightfall (API-based MDM Onboarding)

This step enables automated mapping of user profiles to devices without requiring manual scripts.

API-based MDM onboarding allows Nightfall to automatically map the user email attribute to specific devices by syncing device inventory from your Iru (Kandji) instance.

hashtag
What You'll Need from Iru (Kandji)

To connect Iru (Kandji) to Nightfall, you'll need:

  • Iru (Kandji) Organization API URL (for example: yourcompany.api.kandji.io)

  • API Token with read access to device inventory

hashtag
Creating API Token in Iru (Kandji)

  1. Log in to your Iru (Kandji) instance

  2. Navigate to Settings > Access > API Token

  3. Click Generate New Token

  4. Configure the following:

    • Name: Nightfall Integration

    • Permissions: Select Read for:

      • Devices

      • Device Details

      • Users

  5. Click Generate Token

  6. Copy the API Token - you'll need this in the next step and it will only be shown once

circle-info

Important: Store the API token securely. It will not be displayed again after you close the dialog.

hashtag
Finding Your Iru (Kandji) Organization API URL

Your Kandji Organization API URL follows this format: yourcompany.api.kandji.io

Where yourcompany is your organization's subdomain in Kandji.

You can find this in your Kandji admin panel:

  1. Log in to Kandji

  2. Look at your browser URL (e.g., https://yourcompany.kandji.io)

  3. Your API URL is: yourcompany.api.kandji.io

hashtag
Connecting Iru (Kandji) to Nightfall

  1. Log in to the Nightfall Console at https://app.nightfall.aiarrow-up-right

  2. Navigate to SettingsMDM Profile

  3. Click Add MDM

  4. Select Kandji from the list of supported MDM providers

  5. Enter the following information:

    • Kandji Organization API URL: Your Kandji API URL (e.g., yourcompany.api.kandji.io)

    • API Token: The API Token you created in Kandji

  6. Click Connect

Nightfall will validate the credentials and begin syncing device information automatically.

Important: This API-based connection enables Nightfall to automatically map user email addresses to devices. You do not need to deploy any additional scripts for user-to-device mapping when using this method.

hashtag
After Connection

Once connected, Nightfall will periodically sync device inventory from Kandji. You can now proceed to deploy the Nightfall agent to your devices following the steps below.

hashtag
Create a Blueprint

  1. Navigate to https://<your-company-name>.kandji.io/blueprintsarrow-up-right

  2. Click New Blueprint on the top right corner.

  3. Click New Blueprint on the pop up menu.

  4. Enter a name for the blueprint in the Blueprint name field.

  5. Enter a description for the blueprint in the Blueprint description field.

  6. Click Create Blueprint.

hashtag
Create Custom Profiles

In this section, we create a custom profile for each of the profiles provided in the Nightfall endpoint payload and assign them to the blueprint you have created in the previous section.

  1. In the downloaded folder, locate the README.md under /Profiles to learn about the various MDM profiles available.

    1. Choose the NightfallAI_Profile_with_Browser_Extensions.mobileconfig.

  2. Navigate to https://<your-company-name>.kandji.io/libraryarrow-up-right.

    a. Click Add new.

b. Select Custom Profile and click Add & Configure on the pop-up window.

c. Add Title, Select Blueprint, and finally drag and drop the .mobileconfig file.

d. Click Save.

hashtag
Create a Custom App

In this section, we will create a custom app item for Nightfall Endpoint Agent.

  1. Navigate to https://<your-company-name>.kandji.io/libraryarrow-up-right.

  2. Click Add New.

  1. Click Custom App

  2. Click Add & Configure on the pop-up window.

a. Add Title, Select the Blueprint you previously created.

b. Select the Audit and enforce option.

c. Paste the content of mdm_kandji_audit_script into the Audit Script text box.

d. Choose the Installer Package option.

e. Add Preinstall Script & Upload the installer package.

I. Paste the content of mdm_pre_installation_script into the Pre-install Script text box.

II. Upload the installer package

i. Drag and drop or click to upload the provided nightfall-ai-agent_v*.*.*.pkg file

  1. Save the change and wait for the changes to get deployed on the node machine.

hashtag
Frequently Asked Questions (FAQs)

Do I still need to install a Nightfall agent on devices after API-based onboarding?

Yes. API-based MDM onboarding enables Nightfall to map user email addresses to devices automatically. You still need to deploy the Nightfall agent to the devices using the steps above.

What permissions does Nightfall need in Kandji?

Nightfall requires least privilege access to device inventory. It does not modify device settings or configurations. The user email to device attribution is automatically managed with API-based MDM onboarding and no manual scripts are needed.

What happens if API credentials expire or are revoked?

If credentials expire or are revoked:

  • Device syncing will stop. New devices added or removed will not be reflected in Nightfall during that time.

  • Nightfall will surface an error in the console.

  • You can re-authenticate or update credentials without reconfiguring policies.

Can I disconnect or change my MDM connection later?

Yes. Contact Nightfall Support to disconnect or update your MDM connection from Settings → MDM Profile.

Who should I contact if onboarding fails?

If you encounter issues:

  • Verify API credentials and permissions in Kandji

  • Check the error message in the Nightfall console

  • Contact Nightfall Support for assistance

PreviousNightfall macOS Agent Deployment: JumpCloud MDMNextNightfall macOS Agent Deployment: Mosyle MDM

Last updated

Was this helpful?