Kandji and why Mac fleet management matters more now

Your company probably manages Windows endpoints through Microsoft Intune. That part’s sorted. But when someone asks how you’re managing the 40 Macs your engineering team uses, the answer is usually silence. Or worse: “they manage themselves.” This blind spot didn’t matter much two years ago. It matters now because AI tool deployment - pushing things like Claude Code, Claude Desktop, and Homebrew-based developer toolchains across a fleet - requires the kind of device control that only works if you actually have device control.

Kandji, which rebranded to Iru in October 2025, was built specifically for this problem. Apple-first MDM. And the timing of its expansion into a broader platform couldn’t be more relevant, because most IT teams are discovering their Mac management gaps at exactly the moment they’re trying to roll out AI tools to developers.

The Mac blind spot in enterprise IT

The thing is, Intune comes bundled with Microsoft 365 E3 and E5 licenses. It’s already there. It feels free. So companies default to it for everything, and since most of the fleet is Windows, that works fine for 70-80% of endpoints. The remaining Macs? They drift into a weird no-man’s land where IT sort of knows they exist but doesn’t actually govern them.

In conversations I’ve had with IT teams at mid-size companies, the pattern is remarkably consistent. Somebody bought Macs for the dev team or the design team. Those Macs got enrolled in Intune’s basic Apple management, which handles the absolute minimum - disk encryption, passcode policy, maybe a Wi-Fi profile. But Intune’s Mac capabilities are shallow compared to what it does on Windows. Custom app deployment, granular OS update enforcement, compliance scripting - all of it is harder or absent on the Mac side.

This wasn’t a crisis until AI showed up.

A 9to5Mac analysis of enterprise security gaps pulled from 1Password research found that only 21% of security leaders report full visibility into which AI tools employees are using. Twenty-one percent. The same piece called AI adoption “the biggest example of Shadow IT I’ve ever seen.” That’s not hyperbole from some vendor blog. That’s 1Password’s security team looking at real data from enterprise customers.

And it gets worse when you realize that 20-30% of corporate endpoints in hybrid environments operate outside formal management entirely. These aren’t rogue devices. They’re company-issued Macs that never got properly enrolled, or got enrolled in a system that can’t actually do anything useful with them. When consulting with companies about their device posture, I’ll ask to see their MDM enrollment dashboard and the Mac section is either empty or shows basic profiles that haven’t been touched in months. The devices exist in the system but the system isn’t doing anything with them.

Now imagine you’re trying to deploy Claude Code across your engineering team. On Windows, you’ve got a path - we’ve covered that deployment process in detail. On Mac? You’re staring at a terminal-based install that needs Homebrew, Node.js, and CLI access. If those Macs aren’t under real management, you can’t push any of that. You’re sending Slack messages asking developers to run install scripts manually and hoping they all do it the same way. Honestly, that’s a painful way to run IT in 2026. And half of them will do it differently, creating configuration drift across your engineering fleet before you’ve even started.

The shadow AI problem gets amplified here. Unmanaged Macs become the path of least resistance for unsanctioned tool usage. If IT can’t push approved tools to Mac endpoints, employees install whatever they want. They’ll grab the free tier of some random AI assistant, paste customer data into it, and you won’t even know it happened because those devices are basically invisible to your security stack.

What Kandji actually does

Kandji started in 2018 as an Apple-only MDM platform. That’s the important bit. It wasn’t a Windows management tool that bolted on Mac support as an afterthought. It was built ground-up around Apple’s management frameworks: MDM protocol, Automated Device Enrollment, Apple Business Manager integration.

Computerworld confirmed the rebrand in late 2025. The company expanded to cover Windows and Android under the Iru name, and launched six new products: Workforce Identity, Endpoint Management, EDR, Vulnerability Management, Compliance Automation, and a Trust Center. That’s a big swing from “Mac MDM” to “unified endpoint security platform.” Whether they pull it off across all three OS families remains to be seen. But the Apple side is where they’ve earned credibility.

Here’s what makes Kandji different from basic Intune Mac management in practice.

Auto Apps is their pre-packaged application library. Over 300 apps that Kandji maintains, patches, and updates automatically. You don’t write deployment scripts. You pick the app, assign it to a Blueprint (their term for device groups), and it deploys. When a new version drops, Kandji handles the update. Compared to manually packaging .pkg files and uploading them to Intune, this saves hours per application.

Blueprints handle device grouping and configuration layering. You build a baseline Blueprint with your security policies, then layer on team-specific configurations. Engineering gets Homebrew and developer tools. Design gets Creative Cloud. Finance gets whatever finance needs. The layering model is cleaner than Intune’s configuration profile approach for Macs, which can get messy fast.

Compliance automation maps device configurations directly to frameworks like SOC 2, HIPAA, and ISO 27001. Instead of manually documenting that yes, FileVault is enabled and yes, the firewall is on, Kandji tracks it continuously and generates audit-ready reports. For companies going through their first SOC 2 audit, this alone justifies the cost.

Managed OS enforces macOS updates on a schedule you control. No more developers running three-year-old macOS versions because they “don’t want to break their setup.” You set the deferral window, and the update happens.

The Mollie Payments migration is the best public case study I’ve found. They moved roughly 900 Macs from Jamf Pro to Kandji. Fifty-six users self-migrated on day one using a self-service approach. The team hit 90% completion before their deadline, and Jacob Burley documented the technical details of how they handled the migration. The key insight from Mollie’s experience: Kandji’s Liftoff onboarding feature handled most of the device setup automatically, which cut their IT team’s per-device workload down to basically zero for standard configurations.

One tool worth knowing about: Git2Kandji, an open-source project that syncs MDM configurations from a Git repository into Kandji. It brings version control and CI/CD practices to device management. Mind you, this is a community tool, not officially supported. But the fact that it exists tells you something about the kind of IT teams using Kandji.

The gap between Intune and everything else

Let me be direct about something frustrating. Neither Intune nor Kandji can efficiently mass-deploy Claude Code right now.

Claude Code is a terminal application. It installs via npm. The official deployment approach for governance involves pushing a managed settings file to /Library/Application Support/ClaudeCode/managed-settings.json via MDM. That part works. But the actual installation still requires running commands in a terminal with the right Node.js version, the right npm configuration, and the right permissions. On a managed Mac, that’s a scripting exercise through your MDM. On an unmanaged Mac, it’s a prayer.

Claude Desktop is easier. Anthropic provides a PKG for Mac deployment that you can push through any MDM. Their documentation specifically mentions Kandji as a deployment target. That’s a meaningful signal. When a vendor’s own deployment docs reference your MDM by name, it means their enterprise customers are using it.

Homebrew is a whole separate nightmare.

Basically every Mac developer tool depends on Homebrew. Git, Node.js, Python, Ruby - the standard developer stack runs through it. But Homebrew’s official installer is, as stated in GitHub discussion #2562, “only meant to be run by a single user.” MDM operates as root. Homebrew opposes running as root by design. This creates a fundamental conflict that IT teams have to work around with custom scripts, pre-staged installations, or alternative package managers. It’s not an unsolvable problem, but it’s the kind of yak shaving that eats a week if you’re not prepared for it.

Here’s how the competitive picture breaks down based on the IT leader comparison research:

Intune is already in your M365 stack. Base Mac management is included. Advanced features like custom compliance scripts and endpoint analytics for Mac require additional licensing. It’s the default choice when you’re a Windows-heavy shop with a handful of Macs.

Jamf Pro is the enterprise incumbent. Deeper scripting capabilities, longer track record, massive community of Mac admins writing custom extensions. If you have 5,000+ Macs and a dedicated Mac admin team, Jamf is still the safe choice. It’s also the most expensive option by a comfortable margin.

Kandji (Iru) sits in the middle. Less scripting flexibility than Jamf, more Apple depth than Intune. The Auto Apps library and compliance automation are genuine differentiators. Vendr’s marketplace data from 247 deals shows median annual spend in the low five figures, which puts it roughly at the cost of a single SaaS subscription per device for most mid-size fleets.

Mosyle targets the budget-conscious end. Popular in education. Less enterprise polish but significantly cheaper - roughly a third of what Jamf charges per device.

NinjaOne is an RMM that does cross-platform management. Broader than pure MDM. Less Apple-specific depth but covers Windows, Mac, and Linux from a single console. Good for MSPs and IT teams that don’t want separate tools per platform.

And then there’s the elephant in the room. In March 2026, Apple announced Apple Business, a free built-in MDM platform for businesses of all sizes. It’s early. Capabilities are limited compared to third-party MDMs. But Apple giving away basic device management for free puts genuine pressure on every paid MDM vendor’s entry-level tier. The Miradore analysis of Kandji’s positioning notes this competitive dynamic explicitly.

Picking the right MDM before your AI rollout

If you’re planning any kind of AI tool deployment across a mixed fleet - and you should be, given that this is where productivity tools are heading - audit your device management first. Not after. Before.

I keep seeing companies treat AI deployment as a software provisioning exercise. It isn’t. It’s an endpoint management exercise that happens to involve AI software. If you can’t push a configuration profile to every Mac in your fleet today, you definitely can’t push Claude Code governance settings to them next quarter.

Here’s the practical decision framework.

If your fleet is 80%+ Windows with a handful of Macs, extend Intune’s Mac management and accept its limitations. The additional licensing cost for advanced Mac features is still cheaper than adding a second MDM platform. Your IT team already knows Intune. Don’t make them learn something new for 30 machines. That said, do actually configure Intune’s Mac profiles properly. The default enrollment with zero configuration profiles is barely better than no management at all.

If your fleet is 50%+ Mac or your Mac users are developers and engineers who need deep toolchain management, look hard at Kandji. The Auto Apps library, Blueprint layering, and compliance automation hit a sweet spot for companies with 100-2000 Macs. The Iru rebrand signals they’re building toward being your single platform for all devices, but evaluate them on Mac capabilities today, not promises about Windows support tomorrow. Run a pilot with one team. Migrate 50 devices. See how the Blueprint model works for your environment before you commit the whole fleet.

If you’re running 5,000+ Macs with a dedicated Apple admin team and complex custom scripting requirements, Jamf Pro remains the standard. The community, the extension library, the scripting depth - it’s still unmatched for large, complex Apple environments. You’re paying more, but you’re getting the flexibility that large-scale operations demand.

If you need cross-platform RMM with Mac support but don’t need deep Apple-specific features, NinjaOne is a solid choice. Especially if you’re also managing Linux servers and want one pane of glass. It won’t give you the same Apple-native depth as Kandji or Jamf, but it covers the basics across every platform from a single console.

Whatever you pick, the connection to your AI governance framework is direct. MDM is how you enforce AI tool policies at the device level. It’s how you push approved configurations, block unauthorized applications, and maintain the audit trail that your compliance team needs. Without device management, AI governance is just a document that nobody follows. A brilliant governance policy sitting in a SharePoint folder does nothing if you can’t enforce it on the actual devices your people use every day.

The thing nobody talks about is that AI tool update management is already becoming a recurring operational burden. These tools ship updates weekly. Claude Desktop, ChatGPT Desktop, GitHub Copilot - they all update constantly. If you don’t have MDM controlling those updates, every developer is running a different version with different capabilities and different security postures. That’s not a theoretical risk. That’s Tuesday. And when a security vulnerability hits one of those AI tools, your remediation timeline depends entirely on whether you can push a forced update to every device or whether you’re sending another Slack message hoping people comply.

Look, the broader lesson here is boring but important. AI tool deployment doesn’t create new infrastructure problems. It exposes the ones you’ve been ignoring. The Macs you never properly managed, the endpoints that drifted out of compliance, the developer machines running whatever they want - none of that was caused by AI. AI just made it impossible to keep pretending it was fine.

The companies that struggle most with AI adoption aren’t struggling because the AI is hard. They’re struggling because their infrastructure was never ready for any cross-platform deployment, AI or otherwise. Fix that foundation, and the AI stuff becomes a normal IT project instead of a crisis.

Sort out your device management. Then deploy the AI tools. The order matters more than most people realize.