Skip to main content

Kandji

Deploying WhatPulse Professional with Kandji

Kandji is a modern cloud-based Apple MDM (Mobile Device Management) platform known for its "Blueprints" and automated compliance features. It allows IT admins to deploy custom apps (macOS .pkg, .dmg, or .zip files) and run scripts on managed devices. We can use Kandji's Custom Apps feature to deploy WhatPulse Professional to macOS devices, including steps to automate its activation in your WhatPulse organization. The process involves uploading the installer to Kandji, assigning it to device Blueprints, and utilizing pre/post-install scripts for additional configuration.

Prerequisites

  • Kandji Administrator Access: You should have a Kandji admin account and one or more Blueprints that contain the target macOS devices. Ensure the Macs are enrolled in Kandji (the Kandji agent is installed and running on them).
  • WhatPulse Installer (.pkg): Download the latest WhatPulse Professional .pkg installer for macOS from the WhatPulse downloads page. Kandji supports .pkg, .dmg, or .zip uploads for custom apps, but the .pkg is recommended as it installs silently.
  • Org ID and Settings: Your WhatPulse Organization ID for automatic activation. Also, decide if you will push a settings-overrides.ini – have it ready if so.

Deployment Steps

  1. Add WhatPulse as a Custom App: In the Kandji web console:
    • Navigate to the Library section and click Add New item. Choose Custom App from the options (this lets you deploy a custom macOS application).
    • Enter the Custom App Name – for example, "WhatPulse Professional". (This is the display name that will appear in Kandji and in Blueprints.) Assign it to one or more Blueprints under Assignment (pick the Blueprint(s) that include the devices you want to install WhatPulse on).
    • Set Execution Frequency to "Once per device" (since you just need to install it one time; you can use "Enforced" if you want Kandji to ensure it's always installed, but once-per-device is typical for app deployment).
    • Choose Package Type: Select Installer Package (since WhatPulse provides a .pkg).
    • Click the Upload or Choose File button and attach the WhatPulse .pkg file. Kandji will upload and store the file.
    • Leave Version and other fields as Kandji auto-fills them (you can add a description or category if you like).
  2. Pre-Install Script (Optional): Kandji allows an optional pre-install script to run before the package is installed on the device. In most cases for WhatPulse, you won't need a pre-script. (This could be used if you needed to uninstall a previous version or stop a conflicting process before installation. For a first-time deployment, you can skip it.) Ensure the field is blank or unused if not needed.
  3. Post-Install Script (Automatic Org Registration): Utilize the post-install script field to perform actions after WhatPulse is installed. We will use this to create the org ID file and (optionally) any config overrides. Enter a Bash script that Kandji will execute on the Mac after the package installs. For example:
#!/bin/bash
# Post-install script for WhatPulse – create org ID file
ORG_ID="<Your Organization ID>"
echo "$ORG_ID" > "/Applications/WhatPulse/wp-pro-org-id.txt"
chmod 644 "/Applications/WhatPulse/wp-pro-org-id.txt"

This script sets an ORG_ID variable to your org identifier and writes it to the wp-pro-org-id.txt file. The chmod 644 ensures readable by all users (not strictly necessary, but good practice). Running as root, this will succeed in writing the file. With this in place, every device that installs WhatPulse will automatically have the org file, causing the client to register itself.

If you also want to deploy a settings-overrides.ini, you can extend the post-install script. For instance:

# Include settings overrides (optional)
cat <<EOF > "/Applications/WhatPulse/settings-overrides.ini"
[Settings]
OpenAtLogin=false
EOF
chmod 644 "/Applications/WhatPulse/settings-overrides.ini"

This is just an example that might turn off auto-start at login (if that were a setting). Adjust content as needed or skip if not using overrides. (Remember, any lines you add will run on all devices after installation.) The post-install script in Kandji runs as root on the client Mac, right after the package installation, so it's ideal for dropping configuration files or making tweaks.

  1. Save the Custom App: Scroll down and click Save to create this Custom App item. Kandji will save the package and scripts configuration. Now "WhatPulse Professional" will appear as a Custom App in your Library.
  2. Deploy via Blueprint: If you already assigned the app to Blueprints in step 1, Kandji will automatically include it in those Blueprints. However, you may want to verify or adjust assignments:
    • Go to Blueprints in Kandji, edit the Blueprint that should deploy WhatPulse. You should see the new Custom App listed (on the left side library). If not already added, drag the WhatPulse Professional custom app into the Blueprint's app list (or to a specific group within the Blueprint if you use assignment groups).
    • Click Save or Done for the Blueprint. Kandji will now enforce that all devices in this Blueprint install the WhatPulse app.
  3. Approve Privacy Permissions: To avoid manual permission prompts on each Mac, deploy a Privacy profile via Kandji:
    • In Kandji's Library, add a Custom Profile (or use the pre-built Library item if Kandji offers a template for Privacy). Configure a Privacy Preferences Policy Control (TCC) payload.
    • Add WhatPulse to the payload, with the Accessibility permission set to "Allow" (without user consent) and Input Monitoring set to "Allow". You will need WhatPulse's Bundle ID com.whatpulse.mac – and the Team ID of the developer certificate for WhatPulse. (If unknown, you can find the Team ID by inspecting the signed app; for example, running codesign -dv --verbose=4 /Applications/WhatPulse.app on a Mac.)
    • Set both permissions to Allow. This will create a config profile that pre-approves those permissions. Without this, users will see dialogs on first run.
    • Scope this profile to the same devices (you can add it to the Blueprint as well, via the Profiles section, or assign to all Macs).
    • Save and publish the profile. Now, when WhatPulse is installed, the Kandji agent will also ensure the device has the profile, so when the app first launches, it already has the necessary Accessibility/Input Monitoring approval.
  4. Device Installation Process: Once the Blueprint updates (Kandji pushes changes to devices typically within a few minutes):
    • Each target Mac will download the WhatPulse installer package from Kandji's cloud.
    • Kandji's agent will install the package in the background (using the system installer). The install is silent.
    • After installation, Kandji runs the post-install script on the client: this will drop the wp-pro-org-id.txt (and overrides.ini if configured) onto the filesystem.
    • Because the org ID is placed immediately, when WhatPulse first runs, it finds the org file and knows to register to your organization.
  5. Verification:
    • In Kandji's console, go to Devices or the Blueprint and check the device status. The Custom App should show as Installed or have a green checkmark for each device once done. You can also look under the device's record > Applications to see if WhatPulse appears.
    • On a Mac, confirm that WhatPulse.app is in /Applications. You can also check /Applications/WhatPulse/wp-pro-org-id.txt exists and contains your org ID.
    • If the privacy profile was applied in time, the user should not see any permission prompts. To be safe, after installation, you might want to reboot or log out/in on one test Mac (since WhatPulse might be set to start at login). Upon login, WhatPulse will launch (if "Open at Login" is enabled by default) and should immediately function because the Accessibility/Input Monitoring is already allowed. If not using the profile, the user would get a prompt at this stage.
    • WhatPulse Dashboard: Log in to the WhatPulse Professional web dashboard. Navigate to Pending Computers in your organization. You should see the newly deployed Macs listed as pending activation. Each will have a random name unless you specified computer names; you can now activate them and assign to users as needed.
    • After activation, the WhatPulse clients on those Macs will fully start tracking and uploading stats (keystrokes, clicks, network usage, etc., as per your org settings).
    • Kandji will continue to enforce this app. If a user removes the app, Kandji can flag or even reinstall it (if you set the frequency to "Enforce"). Also, Kandji's compliance policies can be used to ensure WhatPulse stays installed and running.

Kandji's Custom App mechanism makes the deployment straightforward – it handles hosting the installer and executing our scripts before/after installation. By including the org ID creation in the post-install script, we achieve a zero-touch installation: users don't need to enter any org info. The Privacy profile further ensures users aren't interrupted with permission dialogs, aligning with a seamless deployment. Monitor Kandji for any errors (e.g., if a package fails to install, Kandji will report it), but otherwise, the Macs in scope should all receive WhatPulse and appear in your management dashboard automatically.