Device Containment — Kandji / Iru
Device Containment — Kandji / Iru
Challenge locks devices managed by Kandji or Iru using the tenant API. On macOS, Kandji/Iru generates the unlock PIN and returns it in the lock API response.
Credentials
- In your Kandji or Iru tenant, create an API token with permission to list devices and lock devices.
- Copy your tenant API URL (shown when the first token is created).
- In Challenge, open Integrations → Device Containment → Kandji / Iru.
- Set Tenant API URL and API token.
- Optionally set a Lock message for macOS 14+.
- Enable the integration and save.
API calls Challenge makes
| Step | Method | Endpoint | Expected status |
|---|---|---|---|
| Lookup (email) | GET | /api/v1/devices/?user_email={email} | 200 |
| Lookup (hostname) | GET | /api/v1/devices/ (filter/search) | 200 |
| Lookup (serial) | GET | /api/v1/devices/ (serial filter) | 200 |
| Lock | POST | /api/v1/devices/{device_id}/action/lock | 200 |
Least-privilege guidance
Token permissions should include device list/read and Lock device only. See Iru device lock API and Kandji API overview.
Lookup formats
| Lookup type | Value example |
|---|---|
user_email | alice@example.com |
hostname | Device name in Kandji |
serial_number | Apple serial number |
provider_device_id | Kandji device_id |
Lock PIN behavior
For macOS, Kandji/Iru generates a 6-digit EFI PIN after the lock command is received. Challenge parses the API response and returns lock_pin in result metadata. Do not send a PIN in the request — the MDM handles generation.
Troubleshooting
| Symptom | Check |
|---|---|
http_403 | API token permissions |
device_not_found | User email not linked on device record |
| No PIN in response | iOS/iPadOS uses existing passcode; PIN may not apply |