Skip to main content

User Mapping on macOS with Kandji

Map macOS users in Kandji to Cyberhaven using a custom MDM configuration profile. Cyberhaven uses the user's email address as a unique identifier for mapping.

Before you begin

  • Ensure target devices are assigned to Kandji Device Users with a registered email address.
  • Copy the mobileconfig below into a text editor and save it as Cyberhaven-Kandji-UserMapping.mobileconfig.

Create and deploy the MDM profile

  1. Create a new custom profile in Kandji: go to Library and click Add new.

  2. Select Custom Profile, then click Add and Configure.

  3. Name the profile (for example, Cyberhaven User Mapping Profile).

  4. Under Install on, select Mac.

  5. Assign the profile to the appropriate Blueprints.

  6. Paste the contents of Cyberhaven-Kandji-UserMapping.mobileconfig (below) and upload the file.

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
      <dict>
        <key>PayloadContent</key>
        <array>
          <dict>
            <key>PayloadDisplayName</key>
            <string>Cyberhaven User Mapping</string>
            <key>PayloadIdentifier</key>
            <string>io.cyberhaven.lightbeam.66ECCE2B-09FA-4890-9A15-CF9C03803736</string>
            <key>PayloadType</key>
            <string>io.cyberhaven.lightbeam</string>
            <key>PayloadUUID</key>
            <string>66ECCE2B-09FA-4890-9A15-CF9C03803736</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>mdm_username</key>
            <string>$EMAIL</string>
          </dict>
        </array>
        <key>PayloadDisplayName</key>
        <string>Cyberhaven User Mapping Profile</string>
        <key>PayloadIdentifier</key>
        <string>com.kandji.profile.custom.deb6d422-7700-47cb-86ca-9624ce666b37</string>
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadUUID</key>
        <string>deb6d422-7700-47cb-86ca-9624ce666b37</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
      </dict>
    </plist>

Verify user mapping on a device

To validate that mapping is working as expected based on the previous procedure follow the following steps

Validate Mapping

  1. On a device where the profile is deployed, run

    defaults read /Library/Managed\ Preferences/io.cyberhaven.lightbeam

  2. Confirm the mdm_username field shows the device user's email address.

    Example output:

    {
      PayloadUUID = "deb6d422-7700-47cb-86ca-9624ce666b37";
      backend = {
        dlp_url = "https://test.cyberhaven.io";
        installer_token = "eyJhbGcviHRxNWOHzmOs6go_tw.....";
        url = "https://test.cyberhaven.io";
      };
      mdm_username = "clu@cyberhaven.eu";
      use_system_extension = 0;
      version = "2.0.5";
    }
Tags:
Last updated on