Kandji helps secure Apple enterprise with Vulnerability Response

Apple device management vendor Kandji has introduced new tools designed to protect corporate devices from vulnerabilities. Dubbed Vulnerability Response, the software lets customers configure accelerated software updates for more than 200 Mac applications based on the severity of the vulnerabilities. 

I caught up with Justin Safdie, the company’s general manager of endpoint security, and Weldon Dodd, distinguished solutions engineer at Kandji, to find out a more about these new tools and take a temperature check about Apple’s place in enterprise markets. The two also weighed in Apple’s recent enterprise announcements at WWDC.

What matters about Apple’s enterprise advances?

Apple’s enterprise credentials are growing as the opportunities for its devices in the enterprise space expands. With the imminent shuttering of Windows 10 support, “enterprise customers are more open than ever to allowing user choice for a work computer,” said Dodd. 

“With enterprise adoption of macOS at an all-time high, this is definitely a good time to consider adopting Mac instead of Windows 11 PCs,” Dodd said. “The lifetime cost of a Mac is often significantly lower than supporting a PC over three to four years, so it is a good time to encourage users to pick [a] Mac for their next work device.”

This isn’t just a pipedream — the move to Apple’s ecosystem across business is a visible trend, Dodd told me. “We talk to customers every day that are looking to expand their Mac deployment,” he said. “I’m thinking of one of our enterprise customers that has a Mac fleet of 40,000.”

He noted that since those thousands of Macs were deployed, the company is seeing other employees requesting Apple hardware because they see the usability and productivity benefits their colleagues enjoy.

Managing and management

Perhaps unsurprisingly, given the company’s attempt to build its own customer base, Dodd was particularly keen on Apple’s recently announced Device Migration tool, which makes it easier to migrate between MDM systems.

“Previously, moving between Device Management services would result in the device being erased and going through setup again. Moving Mac fleets can be a little more involved, but Device Migration offers similar benefits,” he said.

Dodd also pointed to improvements in Platform SSO, which now allows for the creation of the very first account on the Mac using cloud identity credentials, and the new Apple Business Manager API that makes it easier to integrate AppleCare warranty data with ITSM solutions such as Service Now.

What is Vulnerability Response?

Apple did announce improvements to its implementation of Declarative Device Management at WWDC. To some extent, you could argue that these cover some of the same ground as Kandji’s new offering, but they are not connected. “Our vulnerability detection and patching solutions rely on the existing Kandji device management capabilities to collect app version info from managed devices,” Dodd said.

“Apple has extended Declarative Device Management (DDM) in future versions of macOS Tahoe to include installing application packages,” he said, suggesting the improvements also “open new doors for Kandji to push device management even further, particularly around automated app deployment.”

Kandji’s new tool is a policy within the MDM. Once it’s in place, the Kandji agent knows to check installed Mac apps against the latest Common Vulnerabilities and Exposures (CVE) data. “If it detects a vulnerable app, the agent applies your predefined rule for that CVE’s severity. You can tell it to patch the app right away, schedule the update for a specific time that respects the user’s local time zone, or simply log the issue and take no action,” Safdie said.

“Updates are driven by real‑time vulnerability data instead of a generic ‘once‑a‑week’ Windows patch, which means security gaps close as soon as fixes are available,” Safdie said. “Enabling Vulnerability Response should have no additional impact to resource usage, as it is leveraging the data and processes that are already in place for our MDM solution.”

Patch fast to survive

The solution should be of particular benefit to businesses that need to meet strict patch‑management SLAs (such as NIST), patching high-severity vulnerabilities within 30 days. “It is designed for any industry where audit‑ready remediation timelines are business critical or lean IT teams that want their security updates to happen automatically,” Safdie said.

Of course, the ongoing insecurity landscape is what makes this solution potentially useful to Kandji customers. The recent Verizon 2025 Data Breach Investigations Report (DBIR) told us that 20% of breaches in 2024 were directly attributed to attackers exploiting known, unpatched vulnerabilities.

Companies at present seem slow to protect themselves, with almost 75% of them taking more than a month to secure against vulnerabilities once they are identified, leaving businesses wide open to attack.

That’s bad for any business. And while it remains true to say Apple products remain inherently more secure, that security is not complete; a combination of factors — from user error to slow update installation — leaves even those systems at risk. In other words, tools to help deploy essential software patches should be mandatory across any organization, even on a Mac.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.Kandji helps secure Apple enterprise with Vulnerability Response – ComputerworldRead More