Administrators can now enforce a specific Windows 11 feature version across their fleet using Managed OS Library Items. This gives you direct control over which build your Windows 11 computers run, so you can keep devices on a known-good version instead of relying on each computer to update on its own schedule.
Wildcard support in the EDR Library Item provides greater flexibility when managing allow and block lists.
This update introduces recursive wildcarding. Administrators can establish dynamic, broad-matching rules rather than specifying exact paths or filenames individually, streamlining configuration within the interface.
The Automated Device Enrollment Library Item for Apple devices has been updated with the following enhancements:
Devices can be forced to upgrade to beta OS releases before they enroll, ensuring complete test coverage of critical enrollment workflows when testing beta Apple OS releases.
For Mac, devices can always be forced to update to the latestpublic...
Managed OS Library Items for Apple devices now support enforcing beta releases using AppleSeed for IT beta tokens provided through Apple Business. These beta tokens synchronize to Iru automatically with configured Automated Device Enrollment (ADE) integrations.
Additionally, automated upgrade timing is now separate from updates and has its own enforcement...
We’ve rebranded and released updates to the following open source enterprise API utilities:
Kandji Sync Tool (kst) has been renamed to Iru Control (iructlv1.3.0) , Kandji Packages (kpkg) to Iru Packages (irupkgv2.1.0), and Kandji AutoPkg Processor Actions (KAPPA) to Iru Orchestration Tool for AutoPkg (IOTAv1.1.0). These rebrands are fully backwards...
Vulnerability Management now supports excluding specific devices from vulnerability reporting.
You can exclude a device directly from its device record or from the Devices tab within any CVE detail view. Excluding a device removes it from all CVE affected device counts across your fleet and stops vulnerability notifications from being sent for that device....
We’ve released Iru Agent for Mac 5.1.16 (5386), which now makes smarter decisions about when to download managed software if the current connection is believed to be constrained (like on Low Data Mode), expensive (like a mobile hotspot), or both.
Key improvements
Background Auto App update downloads are deferred on limited networks unless the install is...
Endpoint Detection and Response for Windows is now generally available.
Endpoint Detection and Response (EDR) for Windows brings file-based threat detection and automated response to your Windows endpoints. Malicious files, PUPs, and unknowns are automatically categorized and acted on, keeping your fleet protected from the moment devices enroll.
A new unified activity experience is now available through our classic activity page for easier debugging and tracking across your environment. Unified Activity brings all of your events into one timeline across Endpoint, Detections, Vulnerabilities, and Compliance. You can switch to the new view whenever you're ready. The new experience includes full JSON...
The new phased rollout option for Mac Auto Apps gives admins more control over how updates are introduced across their fleet.
Instead of offering a new version to every device at the same time, admins can enable phased rollout and choose a rollout window between 1 and 7 days (in hours). Devices are then offered the update gradually over that period, helping...
Managed OS Library Items for Apple devices now have an updated look and feel and offer powerful new levels of control for IT teams, with more coming soon.
IT teams can now define a specific version (and optional build) to enforce on devices.
Time enforcement has also been enhanced to allow for any time instead of predefined 30 minute increments.
This release includes miscellaneous bug fixes and performance improvements. Additionally, it includes improvements for handling new Microsoft Conditional Access requirements in Iru Passport. For more details on these changes, reference our product documentation.
Microsoft Teams notifications give administrators the ability to receive alerts about detections directly within their communication platform.
This feature allows the configuration of Microsoft Teams notifications in the same manner as existing Slack integrations. Administrators can manage alert routing for the Detections section to ensure visibility into...
Iru Self Service for iOS and iPadOS will begin rolling out globally on June 3, 2026, at 10:00 AM PDT as an update to the existing Kandji Self Service app. Iru Self Service will show as Iru on the Home Screen. The bundle ID remains io.kandji.Self-Service-Mobile.
A new AD CS connector is now available for Iru tenants.
If you still use AD CS from a Kandji tenant, first upgrade your tenant to Iru, then install the new connector from your Iru tenant. During cutover, you can run the legacy and new connectors on different servers. You can reassign AD CS servers using Assign servers once the new server is approved, or...
This release includes miscellaneous bug fixes and performance improvements.
Specifically, this release brings further performance enhancements to application inventory collection for customers using Iru Endpoint but not Iru EDR.
File and Behavioral Detections are combined into a single view. This update includes a filter to isolate either file detections or behavioral detections. The Threat Status column is normalized to align consistently across both detection types.
Note, this update modifies solely the interface and does not alter underlying data.
Settings to configure Windows Autopilot for MDM auto-enrollment to Iru during out-of-box experience (OOBE) on new Windows devices are now available under Integrations in Iru. The one-time setup covers app registration in Microsoft Entra ID and a custom domain for your tenant.
The setup provides a guided flow with step-by-step instructions and lists the...
Organizations using Iru's Okta Device Trust (ODT) integration can now configure the integration on the Okta Verify Auto App for Mac in addition to, or instead of, on the App Store App version. Assignment Maps ensure only one or the other will be installed on Mac computers at one time. Using the Auto App provides an easier setup process and improved update...
Iru MCP is a Model Context Protocol integration that exposes the Iru Endpoint Management API as MCP tools for assistants such as Claude, Cursor, and other MCP-enabled clients.
Create an API key and enable MCP for the API key in Iru. After setup, Iru displays the token once together with a ready-to-paste MCP configuration for HTTP transport: MCP server URL,...
When the enforcement deadline for a Windows Custom App or Auto App arrives and a blocking process is still running, users now see a 5-minute countdown dialog. The dialog names the app, gives users time to save their work, and offers two options: Update now, which closes the app immediately and runs the install, or Delay for 1 hour, which defers the...
This version improves the sequencing of installing agent Library Items during the configuring stage (await_device_configured) of Automated Device Enrollment (ADE).
Managed OS for iOS, iPadOS, and tvOS has been updated. The latest approved versions are now 26.5, 18.7.9, and 17.7.11, with the following release dates:
Managed OS for macOS has been updated. The latest approved version for Tahoe is now 26.5; for Sequoia, 15.7.7; and for Sonoma, 14.8.7, with the following release dates:
The Migration Assistant Library Item for Mac provides the ability to customize what should be migrated or excluded during Mac-to-Mac migrations during Setup Assistant for target Mac computers running macOS 26.4 or later.
Using declarative device management (DDM), this declaration is automatically delivered to devices and applied during Setup Assistant if...
Settings to configure Platform Single Sign-On (PSSO) in Setup Assistant for macOS 26 Tahoe are now available in the Single Sign-On Extension Library Item.
To configure PSSO in Setup Assistant, configure the Install Library Items during Setup Assistant option in an ADE Library Item. Add a Single Sign-On Extension Library Item along with an app from a...
This version adds support to install Library Items during Setup Assistant that are specified in the Install Library Items during Setup Assistant option in ADE Library Items. Additionally, it brings performance enhancements to application inventory collection.
Library Items can now be installed during Setup Assistant for devices enrolling via Automated Device Enrollment. Inside the Automated Device Enrollment Library Item, turn on Install Library Items during Setup Assistant for a platform and add Library Items to install. The device is held at the Configuring screen during ADE enrollment until every Library Item...
This release includes miscellaneous bug fixes and performance improvements. Additionally, this version addresses an issue that may have caused slower than usual logins in Passport.
A dedicated Windows system tray application gives end users a clear prompt to close applications that block an install when an Auto App or Windows Custom App deployment runs.
The tray icon uses the Iru jelly-style mark. When an install targets processes you configured to detect as open apps, the tray application surfaces a prompt so users can close those...
Device Isolation gives you the ability to immediately sever a network connection for any macOS device suspected of compromise. This feature, accessible directly within the Detections section, allows for rapid containment of active threats like malware or unauthorized lateral movement.
This feature was released in preview mode on March 5, 2026. Today, this...
The Windows Custom App Library Item deploys Win32 applications via MSI and EXE packages to Windows devices, with full control over installation, detection, and enforcement.
Upload a zipped installer containing your MSI or EXE and any supporting files, define silent install and uninstall commands, and configure detection logic so the agent knows whether the...
The udid attribute is now available in the main /devices enterprise API endpoint, meaning it's no longer necessary to loop through each device to read this attribute.
The restriction to Disallow Rosetta usage awareness (allowRosettaUsageAwareness) is now available in the Apple Restrictions Library Item.
This restriction turns off Rosetta usage awareness, which prevents a pop-up dialog being displayed to the user indicating that Rosetta will be removed in a future version of macOS. It deploys to macOS 26.4 and later.
Windows Server Update Services (WSUS) settings in the Windows Update Library Item control where Windows devices receive updates: an internal Windows Server Update Services (WSUS) server, Microsoft Update, or a combination of both.
The Update service URL can be configured to route devices to a WSUS server, while the update source for feature updates, quality...
This update includes an informational banner in the Menu Bar App to inform end-users about the upcoming branding change on April 8 from Kandji to Iru, shown below.
For more information about what to expect in the branding change, see our product documentation.
The Threats tab in left navigation panel has been renamed Detections.
Additionally, "Threats by severity" and "Threats over time" have been renamed to "Detections by severity" and "Detections over time" on the Home page, Devices page, and in Iru AI.
This release includes miscellaneous bug fixes and performance improvements.
Security
CVE-2026-39118 — An access control issue existed in the Kandji Agent (macOS). A local attacker with standard user privileges could invoke restricted functionality. This issue was addressed with improved validation.
Managed OS for macOS has been updated. The latest approved version for Tahoe is now 26.4; for Sequoia, 15.7.5; and for Sonoma, 14.8.5, with the following release dates:
The Windows Update Library Item gives you control over how and when updates install on Windows devices.
Configure auto update behavior with options ranging from notify-only to fully silent installs. Set active hours to protect users from disruptive restarts during the workday, and remove the ability for users to pause updates from the Windows Update...
Specific ADE Library Items can now be assigned directly to devices in the Awaiting Enrollment table, providing further flexibility to the ADE enrollment process. These assignments can be made on a one-off basis, in bulk, or via the enterprise API, and override what is assigned to the Blueprint or Blueprint Routing.
This release includes miscellaneous bug fixes and performance improvements. Additionally, the last opened date/timestamp for Mac apps is now collected by the agent and submitted to Prism during daily check-ins.
The Kandji Agent now keeps track of when Mac apps were last opened throughout the day, as reported by macOS. The most recently recorded date/timestamp is submitted daily to Prism during the Kandji Agent's daily check-in. macOS regularly updates the last opened date/timestamp of apps as they are used, making this data useful for license monitoring and...
The reset work profile passcode command is now available for Android devices. This command can be sent from the Devices page and the Iru enterprise API.
The reset work profile passcode command clears the current work profile passcode and lets you optionally set a new one for the end-user. If the device has an Android Work Profile Passcode Library Item...
License utilization information is now accessible from the Billing tab in the organization flyover for migrated Iru tenants, providing administrators with a consistent entry point for viewing product entitlements.
Administrators can view purchased licenses, assigned usage, and remaining capacity, including product-specific license views, all within a single...
Device Isolation gives you the ability to immediately sever a network connection for any macOS device suspected of compromise. This feature, accessible directly within the Threats section, allows for rapid containment of active threats like malware or unauthorized lateral movement.
Administrators can choose between two levels of isolation based on the...
Blueprint Routing provides a simplified enrollment experience across all platforms by dynamically assigning devices to the correct Blueprint during enrollment. Routing decisions are based on device and user attributes evaluated against admin-defined rulesets.
Blueprint Routing works alongside Assignment Maps:
The CIS Level 1 and Level 2 Blueprint templates have been fully updated to align with the macOS 15 and macOS 26 CIS benchmark recommendations.
This includes the following new Parameters that can be turned on for any existing Blueprint and are automatically included in new Blueprints created from the CIS templates:
Managed OS for macOS has been updated. The latest approved version for Tahoe is now 26.3; for Sequoia, 15.7.4; and for Sonoma, 14.8.4, with the following release dates:
New Windows Auto Apps have been added to the catalog and are now available for all Iru Endpoint customers.
010 EditorBurp Suite Community EditionDisplayFusionDittoFar Manager 3Front AppIrfanViewLetturaMicrosoft AccessMicrosoft ExcelMicrosoft Outlook (classic)Microsoft PowerPointMicrosoft WordMPC-HC...
Preserve managed apps when migrating into Iru with Apple’s device management service migration, available for iPhone and iPad running iOS 26+ and iPadOS 26+.
Managed apps can now remain installed and configured on the device after completing the device management service migration. This prevents business critical managed apps from needing to be...
Refresh eSIM, set personal hotspot, and set data roaming commands are now available for iPhones and cellular-enabled iPads. These commands can be sent from the Devices page and the Iru enterprise API.
The refresh eSIM command instructs the device to contact a carrier eSIM server, also known as an SM-DP+ server, and download an available eSIM profile. This...
The Certificate Library Item now supports granular control over where PKCS #1 certificates are installed on Windows devices.
This feature extends certificate management by allowing PKCS #1 certificates to be targeted to specific Windows certificate stores, including Trusted Root Certification Authorities, Trusted Publishers, OEM eSIM Certification...
The Windows Custom Script Library Item gives administrators direct control to run custom PowerShell scripts on Windows devices.
This feature adds a dedicated library item for Windows that supports uploading signed PowerShell scripts or manually entering script content. Scripts can include optional command-line parameters and remediation scripts, allowing...
The In-House app Library Item now supports managed app configuration (AppConfig) for all Apple platforms: iOS, iPadOS, tvOS, and visionOS. This works the same way as AppConfig for App Store apps. When uploading an In-House app, you can set an app configuration by pasting an XML dictionary of key-value pairs. When the app deploys to devices, the XML...
Managed OS for macOS has been updated. The latest approved version for Tahoe is now 26.2; for Sequoia, 15.7.3; and for Sonoma, 14.8.3, with the following release dates:
Custom links can now be added when configuring Windows Auto Apps in Self Service. The links appear in the app details view, allowing admins to include resources such as documentation, setup instructions, or support portals with customizable link names and URLs.
The Avert Library Item has been renamed the EDR Library Item. This update ensures the Library Item name within the Library section aligns with the product name.
Note, this change affects only newly created Library Items; existing items remain unchanged.
iPhone and iPad devices running iOS 26+ and iPadOS 26+ can now enroll into Iru using Apple’s new device management migration feature, with the ability to manage Activation Lock in the process. Once a migration deadline has been set in Apple Business Manager, this date and time can be displayed in Iru under a new optional Migration deadline column on the ...
Vulnerability Management now supports application and OS vulnerabilities on Windows.
Vulnerability Management now supports Windows devices with the same vulnerability detection and monitoring capabilities as macOS, including CVE dashboards, risk scoring, known exploit metrics, Slack and S3 integrations, accept risk functionality and enterprise API support.
Deleting a Blueprint is no longer possible when devices are still assigned to it. Previously, deleting a Blueprint also deleted all assigned devices. This change reduces the risk of accidental device deletion.
To change the assigned Blueprint for multiple devices or delete multiple devices at once, select the devices in the Devices section and use the mass...
App Store app Library Items with no licenses assigned to the Apps and Books token in Apple Business Manager for your Iru tenant can now be deleted from the Library.
Managed OS for macOS has been updated. The latest approved version for Tahoe is now 26.1; for Sequoia, 15.7.2; and for Sonoma, 14.8.2, with the following release dates:
This release includes miscellaneous bug fixes and performance improvements.
Additionally, with Kandji EDR, if any file is quarantined within an app bundle, all running processes with a launch path within that app bundle are now terminated.
Managed OS for macOS has been updated. The latest approved version for Tahoe is now 26.0.1; for Sequoia, 15.7.1; and for Sonoma, 14.8.1, with the following release dates:
Threats now includes severity level to help InfoSec teams quickly assess the criticality of detected threats. Each threat event is assigned one of five severity levels: Critical, High, Medium, Low, and Informational.
The threats table now includes a Severity column that displays the corresponding severity level for each threat. You can sort and filter...
The Threats section now includes a tags column, providing visibility into which tags are associated with each threat. Threat tags can be created, edited, and deleted within the threats section.
Tags for threats let you flexibly categorize detections with custom labels, streamlining management and enhancing team collaboration by aligning organization and...
Managed OS for macOS Tahoe has been added. The latest approved version is now 26.0, with the following release date:
macOS 26.0: September 15, 2025
Additionally, Managed OS for macOS has been updated. The latest approved version for Sequoia is now 15.7 and for Sonoma, 14.8, with the following release dates:
Managed OS for tvOS 18.4 and later now uses Declarative Device Management (DDM) to apply updates, ensuring a more reliable experience. No admin action is required.
The new Default Apps Library Item allows you to set default apps for web browsing, calling, and messaging on iPhone and iPad.
You can select the defaults from a list of App Store app in your Library and pre-installed Apple apps, as well as prevent users from changing the default setting.
This feature is compatible with iPhones and iPads running iOS 26 and...
Managed OS for macOS has been updated. The latest approved version for Sequoia is now 15.6.1; for Sonoma, 14.7.8; and for Ventura, 13.7.8, with the following release dates:
The Threats page now includes two new visual tiles at the top: one shows a trend of threats in your environment over time, and the other displays the total number of devices affected by any threat at a glance.
Both tiles will be present in the Threats section for customers with Endpoint Detection and Response enabled.
Managed OS for macOS has been updated. The latest approved version for Sequoia is now 15.6; for Sonoma, 14.7.7; and for Ventura, 13.7.7, with the following release dates:
Vulnerability Management now supports auto remediation of CVEs for apps on macOS, when an update for the app is available from the Auto App catalog.
With the new Vulnerability Response Library Item, you can define remediation rules (Enforce update upon detection, Enforce update on a timeframe, or no action) based on CVE severity (Critical, High, Medium,...
As of today, you can now integrate Kandji with your own Amazon S3 bucket for external activity log storage. The integration pushes event data to your specified S3 bucket using cross-account access via a Kandji-provided IAM role, enabling centralized activity collection and analysis.
Users will now receive a notification when Kandji terminates a potentially malicious process. This will inform the user why a requested behavior is not happening.
This release also includes miscellaneous bug fixes and performance improvements.
Stay up to date
Iru's bi-weekly collection of articles, videos, and research to keep IT & Security teams ahead of the curve.