Kandji logo

Kandji: Apple device management and endpoint security for IT teams

Kandji uses per device per month, billed annually, quote-based pricing, runs on cloud, supports macOS, iOS, and No self-serve free trial — demo available through sales.

Kandji is an Apple-first device management (MDM) and endpoint security platform built for IT teams managing macOS, iOS, iPadOS, and tvOS fleets. The platform combines zero-touch deployment through Apple Business Manager, blueprint-based configuration management, Auto Apps for automated software distribution, and continuous compliance enforcement against frameworks like SOC 2, HIPAA, CIS, and ISO 27001.

For mixed-OS environments where Windows and Linux management are equally important, Jamf Pro faces the same Apple-only limitation, but platforms like Microsoft Intune or Hexnode offer broader native coverage today — though the Iru rebrand signals that cross-platform parity is Kandji's strategic direction.

Written by RajatFact-checked by Chandrasmita

Editorial policy: How we review software · How rankings work · Sponsored disclosure

Pricing model

Per device per month, billed annually, quote-based

Deployment

Cloud

Supported OS

macOS, iOS

Trial status

No self-serve free trial — demo available through sales

Review rating

Not surfaced

Vendor

Kandji

Kandji pricing

Kandji uses per-device, per-month pricing billed annually, with rates that vary by device platform and contract length. iOS, iPadOS, and tvOS devices start at approximately $1.60 per device per month. macOS devices start at approximately $3.20 per device per month — roughly double the mobile rate, which reflects the greater management complexity of Mac endpoints.

For a fleet of 100 macOS devices on a one-year contract, expect approximately $102.72 per device annually ($10,272 total). A three-year commitment drops that to approximately $76.16 per device annually ($7,616 total) — a 26% discount that rewards longer lock-in. The 25-device minimum means annual spend starts at roughly $960 for an all-macOS fleet before add-ons.

The base MDM pricing covers device enrollment, blueprint configuration, Auto Apps, compliance monitoring, and the Prism reporting dashboard. Endpoint Detection and Response (EDR) and vulnerability management are separate paid modules. EDR adds approximately $71 per device annually, and vulnerability management adds approximately $30 per device annually.

For a 200-device macOS fleet that adds both modules, the incremental security cost is roughly $20,200 per year on top of the base MDM subscription — which more than doubles the total spend. Buyers should model the full-stack cost including EDR and vulnerability management before comparing Kandji's base rate against competitors that may bundle security features differently.

View Kandji pricing

MDM — iOS, iPadOS, tvOS: ~$1.60/device/month (Per device, billed annually. Covers enrollment, blueprints, Auto Apps, compliance monitoring.)
MDM — macOS: ~$3.20/device/month (Per device, billed annually. Full Mac management including zero-touch deployment, Auto Apps, Prism reporting.)
EDR Add-on: ~$5.93/device/month (Endpoint detection and response with autonomous containment. Mac and Windows.)
Vulnerability Management Add-on: ~$2.50/device/month (Software vulnerability scanning and prioritized remediation guidance.)

Verified from the official pricing page on March 17, 2026. View source

What stands out about Kandji

Kandji is the strongest Apple MDM option for mid-market IT teams that prioritize automation, compliance readiness, and a modern admin experience over the deep customization flexibility that Jamf Pro provides. The blueprint-based configuration model, Auto Apps library, and pre-built compliance templates for SOC 2, HIPAA, and CIS make Kandji meaningfully faster to deploy and operate than Jamf for teams that do not have a dedicated Jamf administrator.

Kandji is best for

Mid-market and enterprise IT teams managing Apple-dominant fleets of 50 to 5,000 devices where zero-touch deployment, automated compliance enforcement, and a modern admin console matter more than deep scripting customization. It is particularly strong for organizations that need to demonstrate compliance with SOC 2, HIPAA, CIS, or ISO 27001 and want pre-built templates rather than custom policy engineering.

Why Kandji stands out

Kandji's clearest differentiators are the Auto Apps library, the blueprint-based compliance enforcement model, and the speed of the zero-touch deployment workflow. Auto Apps is a curated library of over 150 pre-packaged macOS applications that Kandji keeps updated automatically — no IT admin needs to download, package, test, and distribute app updates manually. This eliminates one of the most time-consuming maintenance tasks in Apple fleet management and is a genuine operational advantage over Jamf Pro, where app packaging and distribution typically require more manual effort or third-party tools like Autopkg.

Commercial fit for Kandji

Kandji's commercial fit depends heavily on fleet size, platform mix, and add-on requirements. For a 100-device macOS-only fleet on a one-year contract, the base MDM cost of roughly $10,000 annually is competitive with Jamf Pro and meaningfully higher than Mosyle Business. Adding EDR and vulnerability management can push that to $20,000-$30,000 depending on configuration — which changes the competitive picture because you are now comparing Kandji against bundled endpoint security platforms rather than standalone MDMs.

What users think

Apple-first MDM designed for macOS and iOS fleets, with a library of pre-built compliance blueprints that reduce configuration time for common security baselines. SMB and mid-market teams that want strong Apple management without Jamf Pro's implementation complexity tend to evaluate it as the more approachable alternative.

In depth

Kandji is best evaluated in the context of the specific it operations software workflows your team is trying to standardize or improve.

Shortlist quality depends less on surface-level feature parity and more on how well Kandji fits your deployment preferences, reporting expectations, and the amount of day-to-day operational ownership your team can absorb. Use this page to understand product fit before moving into direct vendor comparisons.

  • Test whether Kandji fits the current environment and OS mix.
  • Validate the vendor’s pricing mechanics against real rollout assumptions.
  • Check whether the platform solves the workflows that matter in the first 90 days.

Kandji features

Zero-touch deployment through Apple Business Manager

Kandji's zero-touch deployment integrates with Apple Business Manager (ABM) and Apple Push Notification Service (APNs) to fully configure devices before an employee touches them. When an organization purchases devices through an Apple Authorized Reseller or Apple Business Manager, those devices are automatically assigned to the Kandji MDM server. - On first power-on, the device enrolls in Kandji, downloads its assigned blueprint, installs required applications through Auto Apps, applies security configurations (FileVault encryption, firewall settings, password policies), and enforces compliance rules — all without IT physically handling the device. - The enrollment experience is customizable: organizations can add branded welcome screens, mandatory acknowledgment steps for acceptable use policies, and sequenced configuration phases that keep the user informed during setup.

Auto Apps: automated application packaging and distribution

Auto Apps is Kandji's managed library of over 150 pre-packaged macOS applications that are automatically updated when new versions are released. The library covers common business applications — Chrome, Firefox, Zoom, Slack, Microsoft Office, 1Password, Docker, VS Code, Figma, and others — that would otherwise require IT to manually download new versions, package them in the correct format (DMG, PKG, or installer), test the package, and distribute it to managed devices. - With Auto Apps, IT assigns applications to blueprints and Kandji handles the rest: new versions are packaged by Kandji's team, tested, and pushed to enrolled devices automatically. - The library is continuously expanded, but niche, enterprise-specific, or internally developed applications still require custom package uploads through Kandji's custom apps workflow.

Blueprint-based configuration and compliance enforcement

Kandji organizes device management around blueprints — reusable configuration templates that define the complete desired state for a group of devices, including security policies, application assignments, network configurations, compliance rules, and restrictions. - Every device assigned to a blueprint receives the same configuration, and Kandji continuously monitors enrolled devices to detect drift from the blueprint's defined state. - This enforcement model is fundamentally different from alert-based MDM systems that notify administrators of non-compliance and require manual remediation.

Prism: device inventory, visibility, and reporting dashboard

Prism is Kandji's device intelligence dashboard that provides real-time visibility into hardware inventory, installed software, compliance status, security posture, and device health across the managed fleet. The dashboard aggregates data from all enrolled devices and presents it in searchable, filterable views — IT admins can query devices by OS version, installed application, compliance status, hardware model, storage capacity, or battery health. - Prism is useful for fleet planning (identifying devices approaching end-of-life or running unsupported OS versions), compliance auditing (generating evidence of fleet-wide encryption status for SOC 2 auditors), and incident response (identifying which devices have a specific vulnerable application installed).

Endpoint detection and response (EDR) add-on

Kandji's EDR module — available as a paid add-on to the base MDM subscription — provides endpoint threat detection, autonomous containment, and remediation for macOS and Windows devices. The EDR uses machine-learning-enhanced detection models to identify malware, ransomware, and advanced persistent threats in real time. - Because the EDR runs on the same platform as the MDM, threat context includes device management data — compliance status, installed applications, user identity, and blueprint assignment — which provides richer investigation context than standalone EDR tools that lack device management visibility. - The strategic value is consolidation: instead of running separate MDM and EDR vendors, organizations can manage both from a single platform.

Vulnerability management add-on

The vulnerability management module provides visibility into software vulnerabilities across the managed fleet, prioritized by severity and exploitability. The module scans enrolled devices for known CVEs in installed applications and OS components, then provides remediation guidance — typically patching the vulnerable software — with the ability to automate patch deployment through Kandji's existing app management capabilities. - Vulnerability data is presented in a centralized dashboard that shows which devices are affected, the severity of each vulnerability, and the remediation status across the fleet. - For organizations that currently track vulnerabilities through separate scanning tools (Qualys, Tenable, Rapid7), the consolidation value is having vulnerability data in the same platform as device management — the scan results can trigger automated remediation rather than generating tickets that IT must action manually.

Identity provider integration and workforce identity

Kandji integrates with major identity providers — Okta, Microsoft Entra ID (Azure AD), Google Workspace, and SCIM-compatible directories — to automate device assignment, user authentication, and lifecycle management. When a new user is created in the identity provider and assigned to a group, Kandji can automatically assign the corresponding blueprint to their device, ensuring they receive the correct apps, configurations, and security policies without manual IT intervention. - When a user is offboarded in the directory, Kandji can automatically lock or wipe their managed device, reducing the risk of data exposure from delayed offboarding actions.

Pros and cons of Kandji

This is the point in the evaluation where buyers should separate what sounds strong in the demo from what will still matter after implementation, reporting setup, and day-two administration are real.

Strengths

These are the strengths most likely to keep Kandji in the shortlist once the team starts comparing practical fit, not just feature breadth.

Auto Apps library eliminates manual app packaging and distribution

Kandji's Auto Apps feature maintains a curated library of over 150 pre-packaged macOS applications — including Chrome, Zoom, Slack, 1Password, Docker, and VS Code — that are automatically updated when new versions are released. IT admins assign apps to blueprints and Kandji handles the packaging, testing, and deployment without manual intervention.

Zero-touch deployment through Apple Business Manager is polished and reliable

Kandji's zero-touch deployment workflow integrates tightly with Apple Business Manager and Apple Push Notification Service. When a new device is shipped directly to an employee, it enrolls in Kandji on first boot, receives its assigned blueprint automatically, installs required apps, applies security configurations, and lands on the employee's desk fully configured without IT physically touching the device.

Pre-built compliance templates for SOC 2, HIPAA, CIS, and ISO 27001

Kandji ships with pre-built compliance templates that map device configurations and security policies to specific controls within SOC 2, HIPAA, CIS Benchmarks, and ISO 27001. Rather than manually researching which FileVault settings, password policies, firewall configurations, and software update requirements map to each framework control, IT teams select the applicable framework and Kandji applies the corresponding device policies automatically.

Modern, well-designed admin console with strong usability ratings

Kandji's admin console is consistently rated among the best in the MDM category for usability and design clarity. G2 reviewers rate Kandji at 9.4 for ease of use compared to Jamf Pro's score in the mid-8s. The interface organizes device management around blueprints, devices, and library items in a logical hierarchy that maps to how IT teams think about fleet management.

Expanding into unified IT and security platform with EDR and vulnerability management

The October 2025 rebrand to Iru signaled Kandji's expansion from Apple MDM into a broader IT and security platform that includes endpoint detection and response (EDR), vulnerability management, workforce identity, and compliance automation. The EDR module provides machine-learning-enhanced threat detection with autonomous containment and remediation for macOS and Windows. Vulnerability management offers visibility into software risk with prioritized patching recommendations.

Limitations

These are the points worth pressing in pricing calls, technical validation, and rollout planning before the team treats the product as a safe choice.

Apple-only MDM heritage limits cross-platform management maturity

Despite the Iru rebrand and announced Windows and Android support, Kandji's production-tested capabilities remain strongest on Apple platforms. Windows and Android device management were announced in late 2025 and are still maturing — buyers who need production-ready cross-platform management today should evaluate those capabilities in a proof of concept rather than assuming parity with the macOS and iOS experience.

Pricing is opaque and modular — total cost can exceed expectations

Kandji does not publish fixed pricing, which makes pre-sales benchmarking difficult. The per-device rate varies by platform (macOS costs roughly double iOS), and critical security features like EDR and vulnerability management are paid add-ons rather than included in the base subscription. A 200-device macOS fleet that starts at an estimated $20,000 annually for base MDM can reach $40,000+ once EDR and vulnerability management are added.

25-device minimum excludes small teams and startups

Kandji requires a minimum of 25 managed devices to open an account, which prices out small startups, early-stage companies, and teams with mixed device fleets where only a portion are Apple. A 10-person startup with 10 MacBooks cannot use Kandji regardless of willingness to pay.

Less scripting flexibility than Jamf Pro for complex custom workflows

Kandji's design philosophy favors pre-built automation and blueprint-based configuration over custom scripting flexibility. For the majority of Apple fleet management tasks, this is an advantage — less custom code means less maintenance. But for organizations with complex, non-standard workflows — custom kernel extension management, unusual network configurations, proprietary software deployment pipelines, or deep integration with homegrown IT systems — Kandji's guardrails can feel limiting.

Reporting and third-party integration depth could be stronger

While Kandji's Prism dashboard provides solid device inventory and compliance visibility, reviewers note that reporting capabilities are less customizable than Jamf Pro's Smart Groups and Advanced Search. Exporting detailed reports for executive or audit audiences sometimes requires workarounds.

Kandji deployment, integrations, and platform coverage

Kandji is a cloud-native platform — there is no on-premises deployment option and no server infrastructure to manage. Implementation starts with connecting Apple Business Manager (ABM) and configuring Apple Push Notification Service (APNs) certificates, which are standard prerequisites for any Apple MDM. From there, the core workflow is building blueprints: defining which configurations, security policies, apps, and compliance rules apply to each device group.

Kandji's blueprint model is template-driven rather than script-driven, so initial configuration is faster than Jamf Pro for organizations that do not have pre-existing custom scripts to migrate. A team deploying Kandji for 100-500 macOS devices with standard compliance requirements can realistically complete initial setup in one to three days, with device enrollment happening automatically through zero-touch deployment as new devices are powered on.

Operating system coverage is Apple-first: macOS, iOS, iPadOS, and tvOS are production-ready with full feature depth. The Iru expansion adds Windows and Android management, but these capabilities launched in late 2025 and are still maturing.

Buyers should test Windows and Android management in a proof of concept before committing to Kandji as a cross-platform solution. macOS Sequoia and later versions require user-approved MDM enrollment permissions that Kandji handles automatically through the zero-touch workflow — but IT teams deploying to devices already in the field without ABM enrollment will need to walk users through the enrollment approval process manually, which adds friction for brownfield deployments versus greenfield.

Before you book a demo

Kandji free trial, demo, and buying motion

Kandji typically enters the shortlist when an IT team managing Apple devices wants a more automated, less maintenance-heavy alternative to Jamf Pro, or when a growing organization needs its first serious MDM platform and wants compliance automation built in from the start. The evaluation path requires a sales conversation and demo rather than a self-serve trial, which means preparation before the first call matters more than usual.

1

Get published pricing from Mosyle Business and Hexnode so you have transparent benchmarks for the per-device rate conversation. Kandji's sales team will anchor pricing based on your device count and contract length — having competitive reference points prevents you from accepting the first quote without context.

2

Ask for a full-stack quote that includes base MDM, EDR, and vulnerability management pricing from the first conversation, even if you think you only need MDM today. Understanding the total platform cost upfront prevents surprise when the security modules become relevant six months after deployment. The difference between base MDM and full-stack Kandji can be 2-3x.

3

If you are migrating from Jamf Pro, audit your custom scripts, extension attributes, and API integrations before the Kandji demo. Ask Kandji to demonstrate how each custom workflow maps to their native capabilities. The workflows that cannot be replicated natively are the ones that determine whether migration is practical or whether Jamf's scripting depth is a hard requirement.

4

Test the zero-touch deployment workflow end-to-end during the evaluation — enroll a new device through ABM, confirm the blueprint applies correctly, verify that Auto Apps install without intervention, and check compliance status after setup completes. This is Kandji's strongest workflow, and if it does not work cleanly in your environment, the platform's core value proposition has a problem.

5

Request a one-year initial contract with a defined renewal rate rather than accepting a three-year commitment based on demo impressions. The three-year discount is meaningful (roughly 26%), but locking in before you have production evidence of fit creates switching cost risk if the platform does not match operational expectations at scale.

Frequently asked questions about Kandji for MDM Software

How much does Kandji cost per device?

+

Kandji uses per-device, per-month pricing billed annually. Based on buyer-reported data, iOS, iPadOS, and tvOS devices start at approximately $1.60 per device per month. macOS devices start at approximately $3.20 per device per month. EDR adds roughly $5.93 per device per month, and vulnerability management adds approximately $2.50 per device per month. A 100-device macOS fleet on a one-year contract costs approximately $10,272 annually for base MDM. Three-year contracts reduce the rate by roughly 26%. There is a 25-device minimum. Kandji does not publish fixed prices — all rates are quote-based and vary by volume and contract terms.

Why did Kandji rebrand to Iru?

+

In October 2025, Kandji rebranded to Iru to signal its expansion from an Apple-only MDM into a broader IT and security platform. The Iru brand reflects the addition of Windows and Android device management, endpoint detection and response (EDR), vulnerability management, workforce identity, and AI-powered automation under a unified platform. The core Apple MDM product remains the same — the rebrand represents a strategic expansion, not a replacement. Existing Kandji customers transitioned to Iru branding without changes to their MDM functionality.

What is the difference between Jamf Pro and Kandji?

+

Jamf Pro offers deeper scripting customization, a larger third-party ecosystem, and a more mature extension attribute and API framework — it is stronger for organizations with a dedicated Jamf administrator who builds and maintains custom workflows. Kandji prioritizes automation over customization: Auto Apps eliminate manual app packaging, blueprint-based compliance enforcement reduces scripting requirements, and the admin console is rated higher for ease of use. Jamf Pro is the better choice for complex, heavily customized Apple environments. Kandji is the better choice for teams that want operational speed and compliance automation with less ongoing maintenance. Both are Apple-first; neither has production-mature Windows management as of early 2026.

Does Kandji support Windows and Android devices?

+

Yes, following the Iru rebrand in October 2025, the platform expanded beyond Apple to include Windows and Android device management. However, these capabilities are newer than the core macOS and iOS management features. Buyers who need Windows or Android management should evaluate those features in a hands-on proof of concept rather than assuming they match the depth and maturity of Kandji's Apple device management. For organizations where Windows is the primary fleet, Microsoft Intune or Hexnode remain more established cross-platform options.

Does Kandji offer a free trial?

+

Kandji does not offer a self-serve free trial. The evaluation path requires requesting a demo through the Kandji (Iru) website, which initiates a sales-led process. During the evaluation, Kandji can provision a sandbox environment for hands-on testing, but this is arranged through the sales team rather than available on-demand. This sales-led model means buyers should prepare their evaluation criteria, device inventory, and competitive benchmarks before the first call to make the demo time productive.

What compliance frameworks does Kandji support?

+

Kandji provides pre-built compliance templates for SOC 2, HIPAA, CIS Benchmarks, and ISO 27001. These templates map device configuration policies — FileVault encryption, password requirements, firewall settings, software update enforcement, and screen lock policies — to specific framework controls. Continuous compliance monitoring checks enrolled devices against the template requirements and auto-remediates drift without manual intervention. The compliance dashboard provides audit-ready evidence of fleet posture. For organizations undergoing SOC 2 Type II audits or maintaining HIPAA compliance, this built-in automation replaces what would otherwise require custom scripting, manual device auditing, and spreadsheet-based tracking.

Is Kandji worth the price compared to cheaper MDM alternatives?

+

Kandji's per-device pricing is higher than Mosyle Business, SimpleMDM, and Hexnode at equivalent device counts. The value case for the premium rests on three capabilities: Auto Apps eliminating manual app packaging and updates, pre-built compliance templates reducing audit preparation time, and a modern admin console that requires less specialized expertise to operate than Jamf Pro. For teams where these capabilities save measurable IT hours and reduce compliance risk, the premium is defensible. For teams that primarily need basic device enrollment and configuration without compliance automation or Auto Apps, cheaper alternatives deliver the core MDM functionality at a lower per-device cost. The decision should be based on whether the automation features save enough operational time to justify the per-device premium at your fleet size.

Kandji alternatives worth comparing

These are the alternatives most directly compared against Kandji, organized by the primary reason buyers consider them. The right comparison depends on whether the evaluation is about Apple management depth, cross-platform breadth, pricing, or organizational scale.

Hexnode

Hexnode is the most relevant alternative when the evaluation requires cross-platform device management that includes Windows, Android, macOS, iOS, and Linux from a single console. Hexnode publishes transparent tiered pricing that is significantly lower than Kandji's per-device rate, and it supports a broader range of operating systems natively. For organizations with mixed fleets where Apple devices are a significant but not exclusive portion, Hexnode offers unified management without requiring a separate MDM for non-Apple devices. Hexnode's Apple management depth is solid but less automated than Kandji's — it lacks an Auto Apps equivalent and its compliance templates are less granular. The tradeoff is breadth versus depth: Hexnode covers more platforms at a lower price; Kandji goes deeper on Apple with more automation.

Scalefusion

Scalefusion gives teams a way to evaluate endpoint management software fit, deployment tradeoffs, and day-to-day operational usability.

Miradore

Miradore gives teams a way to evaluate endpoint management software fit, deployment tradeoffs, and day-to-day operational usability.

Workspace ONE UEM

Workspace ONE UEM gives teams a way to evaluate endpoint management software fit, deployment tradeoffs, and day-to-day operational usability.

Head-to-head comparisons

Open the comparison pages once Kandji makes the shortlist.

Related buyer guides

Use the surrounding category research before this tool becomes the default answer.

Buyer guide

Apple MDM Software

Apple MDM software should be judged by enrollment quality, Apple-specific policy depth, app workflow maturity, and whether an Apple-first tool is the right tradeoff for the estate.

Buyer guide

MDM Best Practices

MDM best practices help teams make enrollment, policy enforcement, privacy handling, and offboarding more reliable after the platform goes live.

Buyer guide

MDM Pricing Guide

MDM pricing is easier to evaluate when buyers model device growth, packaged features, enrollment support, and long-term operating fit instead of comparing entry quotes alone.

Sources

These are the public references, pricing pages, and editorial inputs used to support this page. Readers should still confirm final commercial or product details directly with the vendor when the decision becomes real.

Continue through this software cluster

Use the linked pages below to move from the product profile into pricing, alternatives, category context, comparisons, glossary terms, and research.

MDM Software

Return to the category hub when the team needs broader buying context before narrowing further.

Kandji pricing

Check the commercial model, official pricing notes, and what to validate before procurement treats the pricing as settled.

Kandji alternatives

Use alternatives when the product is credible but the buying team still needs stronger pressure-testing against competing fits.

Open the glossary

Use glossary terms when the product page raises category language that needs a clearer operational definition.