Blog About

Kandji KST - Multi Tenant

 626 words   3 minutes 
Kandji Logo

Streamlining MDM Management: The Kandji Sync Toolkit and Multi-Tenancy

The Kandji Sync Toolkit (KST) is a new command-line utility that bridges the gap between local development and your Kandji MDM tenant. If you manage Apple devices with Kandji, KST enables you to efficiently work with custom profiles and scripts outside the web interface.

What KST Does for MDM Administrators

At its core, KST allows you to:

  • Create and maintain a local Git repository of your Kandji custom profiles and scripts
  • Pull existing resources from Kandji to your local repository
  • Push local changes back to your Kandji tenant
  • Create new profiles and scripts from templates or import existing ones
  • List and display detailed information about your resources
  • Format output in structured formats like YAML, JSON, or plist

This workflow brings the benefits of version control and local development to MDM management - meaning you can track changes, collaborate with others, and use your favorite code editor for scripts and profiles.

At 2Fifteen Tech, we use Kandji across all of the Mac environments that we manage, so to me it was obvious that this could be hugely beneficial to manage things across several tenants, with version control, and dramatically speed up the process of implementing a new environment or updating a script or profile that we use across all tenants. So I worked on adding a few things to make it easier to work with multiple environments.

The Multi-Tenant Enhancement

In the version of KST that Kandji released, Managing multiple Kandji tenants (for example, development vs. production environments, or different client organizations) requires manually switching API credentials and repositories. I added a multi-tenant extension streamlines this process with a new set of commands that make working with multiple tenants effortless.

What I added

The multi-tenant enhancement adds key features:

  1. Tenant Configuration Storage: Securely stores tenant API URLs and tokens in ~/.config/kst/tenants.json

  2. Repository Organization: Maps each tenant to its own repository directory

  3. Automatic Credential Management: Sets the appropriate environment variables when switching tenants

  4. Directory Navigation: Automatically changes to the tenant’s repository when switching tenants

  5. Full Tenant Lifecycle Management: Commands for adding, updating, listing, switching between, and removing tenants

How It Works Behind the Scenes

This was implemented in two main components:

  1. TenantManager (tenant_manager.py): A core class that handles:

    • Storing and retrieving tenant configurations
    • Managing the active tenant selection
    • Setting environment variables for the active tenant
    • Providing repository path information

  2. CLI Commands (cli/tenant.py): New commands that make tenant management accessible:

    • kst tenant add: Add a new tenant with API credentials and repository path
    • kst tenant list: Show all configured tenants
    • kst tenant switch: Change active tenant and its directory
    • kst tenant update: Update tenant configuration (especially useful for API token rotation)
    • kst tenant remove: Remove tenant configurations

The design ensures backward compatibility with existing workflows while enabling efficient multi-tenant use cases like:

# Add a new tenant
kst tenant add client1 --tenant-url https://client1.api.kandji.io --api-token "token" --create-repo

# Switch between tenants (automatically changes directory)
kst tenant switch client1

# Use active tenant's credentials automatically
kst profile pull --all

Why This Matters for MDM Administrators

If you’re managing multiple Kandji instances, this enhancement dramatically reduces friction:

  • No more manually exporting/importing environment variables
  • No confusion about which repository goes with which tenant
  • Simplified API token rotation
  • Less chance of accidentally pushing changes to the wrong tenant

With these improvements, KST becomes an even more powerful tool for Kandji administrators who need to manage multiple environments or client organizations efficiently.

This is a fork of the original, which I may make available as open source in the near future. I need to check a few things and clean up the comments on the sections that are modified. Let me know if this is something that would be useful to you though.

Links
Back