Kandji - Zero Touch Installation of the Desktop App

How to to silently deploy the desktop app using Kandji

  • Updated on May 21, 2024


Kandji is a mobile device manager (MDM) used to manage and secure Apple devices. In Cloud Secure Edge, it can be configured to package and distribute the desktop app to your device fleet using zero-touch installation. This completes a silent installation, which requires no interaction from your end users.

In this doc, we review the steps required to execute a zero-touch installation using Kandji.


  • Deployment Key: Obtained from the Command Center under Settings > Banyan Client tab > Deployment tab > Zero-Touch Deployment Using a Device Manager.
  • Invite Code: Obtained from Command Center under Settings > Banyan Client tab > Deployment tab > Invite Code.
  • Ensure that you’re familiar with mdm-config.json parameters to customize Banyan Desktop App functionality, paying particular attention to the following flags required to enable zero touch mode:

    • mdm_start_at_boot - Recommended to set as true to ensure the app starts consistently
    • mdm_hide_on_start - Recommended to set as true to ensure the app doesn’t foreground every time the user logs in


There are two high-level steps required to silently deploy and install the desktop app then register devices with Cloud Secure Edge (CSE):

  • Step 1. Prepare the zero touch install script - Configure zero touch script with the appropriate deployment parameters for your organization.
  • Step 2. Distribute the zero touch install script to devices - Push down the configured script to your end users to register their devices with CSE.

Step 1: Prepare the zero touch installation script for macOS

1.1 Download the script from the CSE (formerly Banyan) repo: Banyan App Installer.

1.2 Configure the script by entering the following values:

  • The INVITE_CODE value: This value can be found in the Cloud Command Center under Settings > Banyan Client tab > Deployment tab.

  • The DEPLOYMENT_KEY value: This value can also be found under Settings > Banyan Client tab > Deployment tab, under the sub-header Zero-Touch Deployment Using a Device Manager. Select the Copy icon to the right of the Deployment Key value, and enter the copied value into your script.

  • The APP_VERSION value: You have the option of specifying an app version or leaving this value blank; if left blank, this field will auto-populate with the latest app version.

Once configured, CSE’s script automates the installation and registration process. The script will (i) generate an mdm-config.json file; (ii) download and install the latest version of the app; (iii) stage the app with the device certificate,(iv) and start the app as the logged-in user.

Step 2: Distribute a Configuration Profile with User info

CSE’s bash script will leverage name and email when silently registering the app. This configuration profile will contain the users’ information on the device for the script to leverage.

2.1 Navigate to Library > Add New and click Custom Profile.

  • Name: Zero Touch User Info

2.2 Configure the Assignment section with the appropriate Blueprint.

2.3 Attach the Global Variables profile

Download this file and upload it into the Zero Touch User Info profile to map all Global variables for a user within a device profile

2.4 Select Save to push the profile to selected devices

Step 3: Distribute the zero touch install script to macOS devices via Kandji

3.1 Navigate to your Kandji Library, and select Add New.

3.2 Under General, select the Custom Script template.

3.3 Under Custom Script, select Add & Configure.

3.4 In the configuration page of your custom script, enter a title.

3.5 Under Assignment, select a Blueprint.

The Blueprint designates which users’ devices you want to assign the script to.

3.6 Under Settings, set the Execution Frequency. Select the option to Run once per device.

3.7 Under Script Details, paste your configured script.

Can’t find what you’re looking for?

We’re happy to help. Contact our team.