About Kandji
Kandji is a cloud-native Apple device-management (MDM) and security platform that helps IT and InfoSec teams deploy, configure and protect Apple devices at scale through deep automation and policy-driven controls. Connecting Kandji to Serval lets you pull real-time inventory, enforce compliance and run remote commands directly from chat.What the Kandji integration enables
| Capability | Description |
|---|---|
| Access Management | Remove users from Kandji |
| Automation workflows | Streamline device provisioning and management, enforce compliance, and more |
Kandji configuration (generate an API token)
Who Can Create API Tokens?
| Kandji Role | Access to Settings ▸ Access ▸ API Tokens | Notes |
|---|---|---|
| Account Owner | ✅ | Full, non-revocable access. |
| Administrator | ✅ | Full access; can be revoked by other admins. |
| Standard / Help Desk / Auditor-type roles | ❌ (by default) | Can only create a token if their custom role is explicitly granted the API Token permission. |
Note: Roles without Settings access (e.g., Standard, Help Desk) cannot reach the Access tab unless a custom permission set is applied.
Create API Token with Required Permissions
Follow these steps to create a dedicated Kandji API token for Serval with the appropriate permissions:Navigate to API Token Settings
- Sign in to your Kandji instance
- Click Settings in the sidebar
- Click the Access tab
- Scroll to the API token section
- Click Add Token
Create the Token
- In the Name field, enter a descriptive name like
Serval Integration - The Description field is optional
- Click Create
- Click the Copy Token icon to copy the token
- Important: Store this token securely in your password manager—Kandji will never display the cleartext token again
- Click the checkbox for “I have copied the token and understand that I will not be able to see these details again”
- Click Next
Configure API Permissions
In the Manage API Permissions dialog, click Configure, then scroll through the sections and enable the following permissions:
Devices Section (Required for Core Functionality)
Select the checkbox for each of the following:- Device list -
/api/v1/devices - Device ID -
/api/v1/devices/{device_id} - Device details -
/api/v1/devices/{device_id}/details - Application list -
/api/v1/devices/{device_id}/apps - Device Library Items -
/api/v1/devices/{device_id}/library-items - Device status -
/api/v1/devices/{device_id}/status - Device activity -
/api/v1/devices/{device_id}/activity
Device Actions Section (Required for Device Management Workflows)
If you plan to use workflows that manage or control devices, also enable:- Restart device -
/api/v1/devices/{device_id}/action/restart - Update inventory -
/api/v1/devices/{device_id}/action/updateinventory - Blank push -
/api/v1/devices/{device_id}/action/blankpush - Renew MDM profile -
/api/v1/devices/{device_id}/action/renewmdmprofile
Blueprints Section (Optional)
If you plan to use blueprint-related workflows:- Blueprint list -
/api/v1/blueprints - Blueprint ID -
/api/v1/blueprints/{blueprint_id}
Users Section (Optional)
If you plan to use user management workflows:- User list -
/api/v1/users - User ID -
/api/v1/users/{user_id}
Tags Section (Optional)
If you plan to use tag-related workflows:- Tag list -
/api/v1/tags
Serval Configuration
- In Serval go to Apps → Available → Kandji → Connect.
- Enter your Service Instance ID and the Bearer Token you generated above.
- Service Instance ID format:
[your-subdomain].api.kandji.io - Example: If you access Kandji at
acme.kandji.io, enteracme.api.kandji.io
- Service Instance ID format:
- Click Save.