--- title: Kandji API Integration on Truto slug: kandji category: Default canonical: "https://truto.one/integrations/detail/kandji/" --- # Kandji API Integration on Truto **Category:** Default **Status:** Beta ## Unified APIs ### Unified User Directory API - **Users** — The User object represents a User. ### Unified MDM API - **Apps** — Core resource which represents a software application installed on a managed device. Installed software is typically mapped to installed applications, installed programs, packages, or inventory items depending on the underlying product. - **Devices** — Core resource which represents a managed device in an MDM or RMM system. Devices are typically mapped to endpoints, nodes, or assets depending on the underlying product. - **Users** — Users represent the people using the underlying MDM or RMM system. They are usually called employees, contractors, admins, etc. ## MCP-ready AI tools Truto exposes 11 tools for Kandji that AI agents can call directly. - **list_all_kandji_devices** — Get a list of devices in Kandji. Returns fields including device_id, device_name, model, platform, os_version, serial_number, user, and tags. - **get_single_kandji_device_by_id** — Get device details for a specified device in Kandji. Requires device id. Returns device information including hardware, software, and status fields. - **update_a_kandji_device_by_id** — Update device information in Kandji using id. Supports updating user assignment, asset_tag, blueprint_id, and tags. Use null to clear asset_tag or user, and empty list to clear tags. Returns updated device fields. - **delete_a_kandji_device_by_id** — Delete a specific device in Kandji using id. This removes the device record, unenrolls it from MDM, and automatically uninstalls the agent on next check-in for macOS and Windows devices. Returns no content. - **list_all_kandji_device_apps** — Get a list of all installed apps for a specified device in Kandji. Requires device_id. The response includes app details, such as name and version. - **list_all_kandji_device_library_items** — Get all library items and their statuses for a specified device in Kandji. Returns fields including library item status indicating availability, installation state, and compatibility. - **list_all_kandji_blueprints** — Get a list of blueprints in Kandji. Returns blueprint records with details such as id and name. - **get_single_kandji_blueprint_by_id** — Get information about a specific blueprint in Kandji using id. Returns blueprint details including configuration and metadata. - **list_all_kandji_users** — List users in Kandji. Returns an array of users with key details such as id, email, name, active, archived, created_at, updated_at, department, job_title, device_count, and integration information. - **get_single_kandji_user_by_id** — Get details for a specific user in Kandji using id. Returns key fields including name, email, active status, department, job_title, device_count, and integration details such as id, name, and type. - **delete_a_kandji_user_by_id** — Delete a specific user in Kandji by id. Returns no content on success. If the user is still assigned to one or more devices, a 400 error with 'detail' explaining the assignment issue is returned. ## How it works 1. **Link your customer's Kandji account.** Use Truto's frontend SDK; we handle every OAuth and API key flow so you don't need to create the OAuth app. 2. **Authentication is automatic.** Truto refreshes tokens, stores credentials securely, and injects them into every API request. 3. **Call Truto's API to reach Kandji.** The Proxy API is a 1-to-1 mapping of the Kandji API. 4. **Get a unified response format.** Every response uses a single shape, with cursor-based pagination and data in the `result` field. ## Use cases - **Automate SOC 2 and ISO 27001 evidence collection from Apple fleets** — GRC and compliance platforms can continuously pull device library items, installed apps, and Blueprint enforcement statuses from Kandji to prove that encryption, EDR, and password policies are actively applied across every employee laptop — eliminating manual screenshot-based audits. - **Sync Apple device inventory into IT asset management platforms** — ITAM tools can pull the full Kandji device inventory — including serial numbers, OS versions, assigned users, and hardware models — to reconcile physical assets against procurement records and flag unmanaged or stale devices automatically. - **Power zero-touch onboarding and secure offboarding from HRIS platforms** — HR and People Ops tools can programmatically assign devices to Blueprints during onboarding and delete users and devices from Kandji when an employee is terminated, ensuring company access is revoked instantly without IT intervention. - **Enforce device posture checks before granting application access** — Zero Trust and SaaS management platforms can query Kandji at login time to verify that a user's device has the required apps installed, is running a compliant OS version, and is assigned to an approved Blueprint before granting access. - **Automate threat response by quarantining compromised endpoints** — Security orchestration platforms can look up a flagged device in Kandji by ID and immediately reassign it to a restricted quarantine Blueprint, isolating the endpoint without waiting for a human to take action. ## What you can build - **Real-time device compliance dashboard** — Pull all Kandji devices and their library item statuses to surface a live view of which endpoints meet security policies and which are drifting out of compliance. - **Automated employee offboarding workflow** — Trigger Kandji user deletion and device removal directly from your app when an employee is terminated, ensuring MDM unenrollment and agent uninstall happen in seconds. - **Blueprint assignment selector for IT admins** — Fetch available Kandji Blueprints and present them in a dropdown so IT admins can assign the correct configuration profile to a new hire's device without leaving your product. - **Installed software inventory with version tracking** — List all apps installed on each Kandji-managed device to detect outdated software, missing security tools, or unauthorized applications across the fleet. - **Cross-platform user directory sync** — Use Truto's Unified User Directory API to sync Kandji user records — including names, emails, and statuses — alongside users from HRIS and identity providers into a single canonical view. - **Device-to-identity mapping for access decisions** — Match Kandji device records to user identities so your app can answer the question 'is this person accessing our service from a managed, compliant device?' at authentication time. ## FAQs ### What authentication method does Kandji use for API access? Kandji uses API token-based authentication. Your end users generate a Bearer token from the Kandji admin console, and Truto handles storing and passing it securely on every request — no OAuth flow required. ### What operations are supported — is it read-only or read/write? Both. You can read devices, users, apps, library items, and Blueprints. You can also update device properties (such as asset tag, assigned user, or Blueprint), and delete devices and users programmatically via Truto. ### Does Truto handle pagination for Kandji's device and user list endpoints? Yes. Truto automatically manages pagination across all list endpoints — including devices, users, apps, library items, and Blueprints — so you receive complete result sets without writing pagination logic. ### Which Truto Unified APIs map to Kandji? Kandji is available through both the Unified User Directory API (for user records) and the Unified MDM API (for devices, apps, and users), letting you normalize Kandji data alongside other MDM and directory providers. ### What happens if I try to delete a Kandji user who is still assigned to a device? Kandji returns a 400 error if you attempt to delete a user who still has active device assignments. Your workflow should first unassign or delete associated devices before removing the user record. ### Can I change which Blueprint a device is assigned to via the API? Yes. Using the update device endpoint, you can change a device's blueprint_id to reassign it to a different configuration profile — useful for role changes, quarantining compromised devices, or onboarding workflows. ## Related reading - [Connect Kandji to ChatGPT: Automate Device Audits](https://truto.one/blog/connect-kandji-to-chatgpt-automate-device-audits/) — Learn how to connect Kandji to ChatGPT using a managed MCP server. A step-by-step technical guide to automating MDM device audits, app compliance, and security logs. - [Connect Kandji to Claude: Automate MDM Workflows](https://truto.one/blog/connect-kandji-to-claude-automate-mdm-workflows/) — Learn how to connect Kandji to Claude using a managed MCP server. Automate device audits, query fleet telemetry, and execute MDM workflows without writing code. - [Connect Kandji to AI Agents: Automate MDM Workflows & Audits](https://truto.one/blog/connect-kandji-to-ai-agents-automate-mdm-workflows-audits/) — Learn how to connect Kandji to AI agents using Truto's /tools endpoint and LangChain—without hand-coding pagination schemas for every endpoint.