About Kandji

Kandji is a cloud-native Apple device-management (MDM) and security platform that helps IT and InfoSec teams deploy, configure and protect Apple devices at scale through deep automation and policy-driven controls. Connecting Kandji to Serval lets you pull real-time inventory, enforce compliance and run remote commands directly from chat.

What the Kandji integration enables

CapabilityDescription
Access ManagementRemove users from Kandji
Automation workflowsStreamline device provisioning and management, enforce compliance, and more
Anything defined in the Kandji API can be accessed through Serval.

Kandji configuration (generate an API token)

Who Can Create API Tokens?

Kandji RoleAccess to Settings ▸ Access ▸ API TokensNotes
Account OwnerFull, non-revocable access.
AdministratorFull access; can be revoked by other admins.
Standard / Help Desk / Auditor-type roles❌ (by default)Can only create a token if their custom role is explicitly granted the API Token permission.
Note: Roles without Settings access (e.g., Standard, Help Desk) cannot reach the Access tab unless a custom permission set is applied.

Kandji API Setup

Follow the steps provided by Kandji to create your API Token here: Kandji API Setup Guide
Converting your Kandji domain to Service Instance ID:
  • If your Kandji instance is acme.kandji.io
  • Your Service Instance ID is acme.api.kandji.io
  • Simply insert .api after your subdomain
For example: [subdomain].kandji.io[subdomain].api.kandji.io
With your Kandji API token and Service Instance ID (API domain) in hand, you’re ready to move on to Part 4—connecting Serval so it can automate Apple device workflows on your behalf.

Serval Configuration

Quick reference:
  • If your Kandji URL is: https://acme.kandji.io
  • Enter: acme.api.kandji.io
  • (Just add .api after your subdomain!)
  1. In Serval go to Apps → Available → Kandji → Connect.
  2. Enter your Service Instance ID and the Bearer Token you generated above.
    • Service Instance ID format: [your-subdomain].api.kandji.io
    • Example: If you access Kandji at acme.kandji.io, enter acme.api.kandji.io
  3. Click Save.
You can rotate or scope the token at any time—just reconnect the app to update the value in Serval to keep workflows running.