Kandji connector

Use your Kandji data for reporting, automation and AI.

Data Panda pulls your Kandji devices, blueprints, software titles, vulnerabilities and lifecycle events into the same warehouse as your HR, finance and sales data. From one place we turn it into dashboards, automations, AI workflows and custom apps that IT, finance and security leads use during the month, not only the morning of an audit.

About Kandji

The Apple-first MDM that automates compliance on Mac, iPhone and iPad out of the box.

Kandji was founded in 2018 in San Diego by Adam Pettit, his brother Wesley Pettit and Mark Daughters, with a founding team that came out of Apple and an Apple-certified IT consultancy that deployed thousands of Macs before the company existed. By 2024 the company reported annual recurring revenue up more than 600 percent since 2021 and a customer base above 4,000 organisations across more than 40 industries, with logos like Canva, Deel, Twilio, Notion and Wiz on the reference list.

The product is built on Apple's MDM protocol and integrates with Apple Business Manager, with 150-plus pre-built controls, the Liftoff zero-touch enrollment experience, Auto Apps for automated patching across 200-plus titles, Blueprints and the newer Assignment Maps for scoping, Prism for fleet visibility, Passport for user authentication and a built-in EDR and Vulnerability Management module under the Device Harmony banner. The frame against Jamf Pro is straightforward: cloud-native from day one, faster to set up, and biased to automated remediation rather than custom scripting, which is why Apple-first IT estates with limited Mac-admin headcount tend to land here. In October 2025 the company rebranded as Iru and extended into Windows and Android management, but the Apple endpoint stack and the existing Kandji APIs continue under the same engine. Pulled into a warehouse next to HiBob, NetSuite and Okta, the device record finally answers questions a Kandji view alone cannot: cost-per-active-employee on the SaaS catalog, vulnerability backlog by business unit, and the leavers whose Mac is still phoning home a week after their HR end date.

What your Kandji data is for

What you get once Kandji is connected.

Device and compliance reporting

Devices, blueprints, software, vulnerabilities and lifecycle state on one page across every site and business unit.

Active Macs, iPhones, iPads and Apple TVs per site, BU and assignment, against the staffed headcount
Blueprint-versus-policy drift per BU, with the controls that fell out of compliance named
Vulnerability backlog per BU, severity and patch age, against the agreed SLA

Process automation

Turn Kandji device, software and vulnerability events into the downstream work the rest of the stack expects, without a per-tool handoff.

Lock and wipe leaver Macs the day the HR record closes, not the day the access review catches it
Open Jira tickets per vulnerability batch, routed by BU and severity, with the affected device list attached
Reconcile Self Service installs against the SaaS contract per app, so over-deployed seats surface in the next renewal

AI workflows

Put the device record, vulnerability state and lifecycle history behind AI that reads the full Apple-fleet picture.

Patch-prioritisation scoring on severity, exposed-user count and BU criticality together
Hardware refresh forecasting per device family, BU and warranty cohort
Natural-language Q&A across the device, blueprint and vulnerability record

Custom apps on your data

Lightweight tools on Kandji data for IT leads and BU heads who should not need a Kandji seat to read their own fleet.

IT-ops cockpit with active devices, open vulnerabilities and patch SLA per BU
Finance view with hardware capex, AppleCare cover and per-Mac cost across the active employee roster
Security workbench with EDR threats, blueprint drift and leaver-versus-active-device gaps in one feed

Use cases

Use cases we deliver with Kandji data.

A list of concrete reports, automations and AI features we have built on Kandji data. Pick the one that matches your situation.

Leaver-versus-active-device gapMacs still checking in past an HR end date, per BU, manager and days overdue.

Vulnerability backlog by BUOpen vulnerabilities per BU, severity and patch age against the agreed SLA.

Blueprint compliance driftDevices outside their assigned Blueprint, with the controls that fell out named.

Software licence reconciliationSelf Service and Auto Apps deployments matched to the SaaS contract per app and BU.

Patch SLA per BUMedian and tail time-to-patch per severity, BU and OS family.

Hardware refresh planningDevices past warranty or model age threshold, per BU and cost-centre.

Joiner enrollment timeDays from joiner start to a Liftoff-complete, in-blueprint Mac, per site and role.

EDR threat triage queueOpen EDR detections by severity, BU and time in queue, against responder capacity.

FileVault and disk-encryption gapDevices missing FileVault, escrowed key or matching policy, per BU and site.

OS-version distributionmacOS, iOS, iPadOS and tvOS version mix across the fleet, against Apple support windows.

Per-device cost across the rosterHardware capex, AppleCare and Kandji licence per active employee per BU.

Self Service install adoptionPer-app install counts and active-use signal across BUs and roles.

Real business questions

Answers you will finally get.

How many Macs are still phoning home past an HR end date?

Devices in Kandji that posted a check-in after the leaver date in the HR system, per BU, manager and days overdue. Security and IT see the laptops the access review would have caught a quarter from now and can wipe or lock them this week, instead of treating offboarding as a manual ticket queue across HR, IT and finance.

Where does our vulnerability backlog sit, by business unit?

Open vulnerabilities from Kandji's Vulnerability Management module joined to the device, BU and policy record, with severity, exposed-user count and time since disclosure attached. The CISO sees the BU carrying the backlog, the apps responsible and the patch SLA being missed, instead of a single fleet-wide percentage that does not point at anyone.

Are we paying for SaaS seats on apps nobody is launching?

Auto Apps deployments and Self Service installs reconciled with the SaaS contract per app and the active-use signal where it is available. Finance and IT see the apps where deployed seats run thirty percent above paid seats, and the apps where paid seats sit on Macs that have not opened them in ninety days, in time for the next renewal cycle.

Value for everyone in the organisation

Where each function gets value.

For finance leaders

Hardware capex, AppleCare cover and Kandji licence per active employee per BU, joined to the HR roster and the SaaS contract register. The CFO sees the per-Mac cost line on the management report tied back to the device record it came from, and the BU where over-deployed seats and orphaned hardware are walking quietly through the budget.

For sales leaders

Sales-team device readiness against the staffed seller roster: AEs in onboarding without a Liftoff-complete Mac, field reps on iPads outside their assigned Blueprint, and demo devices that have not been wiped between cycles. Sales operations sees the kit that should be revenue-ready and is not, before the QBR catches it.

For operations

Joiner enrollment time, leaver-versus-active-device gap and patch SLA across sites in one capacity picture. The COO sees which office is letting joiners reach day fifteen without a fully enrolled Mac, and which sites carry the offboarding-and-vulnerability concentration this quarter.

Ideas

What you can automate with Kandji.

Pair with HiBob

Reconcile Kandji devices with the HiBob lifecycle in one timeline

Joiner, mover and leaver events from HiBob land next to Kandji enrollment state, assigned Blueprint and last-check-in in the warehouse, on the same employee key. People ops and IT see the joiner whose Bob record posted three days ago but whose Mac has not yet completed Liftoff, and the leaver whose Bob termination is closed but whose Mac is still posting check-ins. Offboarding stops being a quarterly access-review sweep and becomes a list of named devices to wipe or lock the day they fall out of policy.

Pair with Jira

Open Jira tickets per Kandji vulnerability batch, routed by BU and severity

Vulnerability records from Kandji's Vulnerability Management module open Jira issues in the BU's queue, with the affected device list, severity, exposed-user count and patch SLA attached, instead of a CSV emailed once a quarter. IT and security leads see the BU carrying the backlog and the SLAs being missed in the same board they already work, and the patch progress posted back to Kandji closes the loop without a manual reconciliation.

Pair with Slack

Drive joiner, leaver and vulnerability Slack moments from the Kandji record

Liftoff completion in Kandji posts a welcome message in the joiner's team channel and pings IT when an enrollment step has been waiting longer than the agreed window. Leaver records ping IT when a Mac has not been wiped or locked within the policy window, and a security channel surfaces a daily summary of new critical vulnerabilities by BU. IT operations stops running a manual handoff queue across HR and security by hand.

Pair with monday.com

Track Mac refresh and AppleCare renewals on a monday.com board

Devices past warranty or model-age threshold from Kandji land as items on a monday.com board, with BU, cost-centre, current user and AppleCare end-date attached. The IT-procurement lead sees the refresh wave per BU and quarter on the same board where budget owners already approve spend, instead of a Kandji export and a separate finance sheet that go out of sync the moment either side updates.

Pair with Exact Online

Tie Kandji hardware capex and Kandji licence cost back to the GL per cost-centre

Mac, iPhone and iPad serials from Kandji land next to the asset register and the Kandji licence count, mapped to the cost-centre and entity in Exact Online. Finance sees the per-Mac cost line on the management report tied back to the device record it came from, the BU where over-deployed Kandji seats are walking through the budget, and the depreciation schedule per device cohort, without a manual reconciliation between an asset spreadsheet and the GL.

Pair with HubSpot

Match HubSpot sales-team device readiness to the Kandji enrollment state

AEs, BDRs and SEs from the HubSpot user list joined to their Kandji device, assigned Blueprint and last-check-in. Sales operations sees the AE who started two weeks ago and is still on a non-enrolled laptop, the field rep whose iPad fell out of its assigned Blueprint, and the demo device that was never wiped between cycles. Quota coverage stops carrying invisible kit gaps that surface on a customer call.

Your existing tools

Your data lands in a warehouse. Your BI tools read from it.

You keep the reporting tool you already have. We connect it to the warehouse where your Kandji data lives.

Power BI Microsoft

Fabric Microsoft

Snowflake Data warehouse

BigQuery Google

Tableau Visualisation

Excel Sheets & pivots

Three steps

From Kandji to answers in three steps.

Connect securely

OAuth authentication. Read-only by default. We sign a DPA and your admin keeps the keys.

Land in your warehouse

Data flows into your warehouse on your schedule. Near real time or nightly, your call. You own the data.

Reporting, automation, AI

We build the first dashboard, workflow or AI feature with you, then hand over the keys. Or we stay on for ongoing delivery.

Two ways to work with us

Pick the track that fits how you work.

Track 01

Self-serve

We set up the foundation. Your team builds on top.

Kandji connector configured and running
Warehouse set up in your cloud account
Clean access for your Power BI, Fabric or Tableau team
Documentation on what's in the data model
Sync monitoring so you're warned before reports break

Best fit Teams that already have a BI analyst or data engineer and want to own the build.

Track 02

Done for you

We build the whole thing, end to end.

Everything in Self-serve
Dashboards built to the questions your team actually asks
Automations between your systems
AI workflows scoped to real tasks your team runs
Custom apps where a dashboard does not cut it
Ongoing delivery at a pace that fits your team

Best fit Teams without in-house BI or dev capacity. You tell us what you need and we deliver it.

Before you book

Frequently asked questions.

Who owns the data?

You do. It lands in your warehouse, on your cloud account. We don't resell or aggregate it. If you stop working with us, the warehouse stays yours and keeps running.

How fresh is the data?

Near real time for most operational systems. For heavier sources we schedule hourly or nightly. You pick based on what the reports need.

Do I need a warehouse already?

No. If you don't have one, we help you pick one and set it up as part of the first delivery. Common starting points are Snowflake, Microsoft Fabric, or a small Postgres start.

Which Kandji tables land in the warehouse?

The connector pulls Devices with hardware and OS detail, Users, Blueprints, Library Items and assignments, Software titles and Auto Apps state, Vulnerabilities from the Vulnerability Management module, Threats from the EDR module where licensed, Activity logs and Tags. Authentication runs through a Kandji API token scoped to your tenant, hitting the regional API host (US `*.api.kandji.io` or EU `*.api.eu.kandji.io`).

Kandji rebranded to Iru in October 2025. Does this connector still work?

Yes. The Apple endpoint stack and the Kandji API hosts continue to operate under the Iru name, and existing tenants are being upgraded gradually. The connector keeps using the documented API endpoints, regardless of which UI banner the tenant is on, and the device, blueprint and vulnerability records read the same. We will track Iru's expansion into Windows and Android management as those endpoints stabilise on the same API surface.

How are EDR threats and other sensitive Kandji fields handled?

EDR threats, Vulnerability Management findings and user-identifying device fields can be kept in restricted schemas that only IT and security roles reach, while the device, blueprint and OS-version data powers the dashboards the rest of the business uses. Access is enforced in the warehouse, not in each dashboard, so a new finance report cannot accidentally surface a threat detection it should not see.

GDPR-compliant

Data stays in the EU

You own the warehouse

A first deliverable live in four to six weeks.

We review your Kandji setup and the systems around it. Together we pick the first thing worth building.

Book a call See our other connectors