In Q1 2024 we hit a wall with our MDM. Jamf had served us well, but we'd grown past what a two-person IT team could reasonably operate. Policy drift had set in: we had 200+ smart groups that nobody fully understood, certificate-based Wi-Fi profiles that expired silently, and a compliance reporting workflow that took me four hours every Friday.
Something had to change.
I'd evaluated Kandji twice before and passed both times. Third time, I finally said yes.
Why We Left Jamf
Jamf's power is also its problem: it's infinitely configurable. Six years of configuration by three different IT admins had produced a tenant that was functionally correct but completely unmaintainable. Nobody could confidently answer "what would happen if I removed this smart group?" There were dependencies between groups that weren't documented anywhere except in the implicit logic of the configuration.
The technical debt wasn't Jamf's fault. It was ours. But it's a category of debt that's essentially impossible to pay down inside Jamf, as the model encourages building more groups and conditions, not consolidating them.
The other factor: certificate-based Wi-Fi profiles. We relied on device certificates for network access control. In Jamf, certificate renewal is not automatic, and it requires manual certificate replacement pushed via policy. We'd had two silent expiry events in the past year where devices lost network access because a certificate expired and nobody noticed. In Kandji, certificate management is handled by the platform.
Why Kandji
The short answer: blueprints. Kandji's blueprint model lets you define a device configuration declaratively and push it. One blueprint per device population (engineer Mac, employee Mac, loaner). If a device drifts from the blueprint, Kandji remediates it automatically. No smart groups, no policy ordering, no implicit dependencies.
The longer answer: native Okta Device Trust integration. We'd rolled out Okta Device Trust to enforce that only managed, compliant devices could access SaaS apps. In Jamf, this required a custom extension attribute, a Jamf Connect flow, and periodic manual verification that device trust certificates hadn't expired. In Kandji, the Okta integration is native: Kandji syncs compliance state to Okta automatically, in real time.
The Migration Architecture
I scoped the project for six weeks. In retrospect, six weeks was aggressive for a team of two, but we had a board presentation at week eight and I wanted compliance reporting out of spreadsheets before then.
Phase 1 (Week 1–2): Parallel enrollment and pilot. We enrolled 25 volunteer devices into Kandji while keeping them enrolled in Jamf simultaneously. Both MDMs managed the device at the same time, which was technically fine because we weren't pushing conflicting profiles. This validated that Kandji blueprints were producing the expected configuration before touching anyone who wasn't opted in.
Phase 2 (Week 2–4): Department-by-department waves. We scheduled 45-minute migration sessions with each team. The flow: unenroll from Jamf (automated via script), enroll in Kandji via ADE or enrollment URL, Blueprint assignment runs automatically.
Average migration time per device: 8 minutes. Most people never noticed.
We ran waves of 25–30 devices at a time.
In parallel, we were also migrating our Windows fleet to Intune. The Mac and Windows workstreams ran simultaneously — Kandji handling Apple devices, Intune handling everything else — with Okta Device Trust as the compliance enforcement layer across both platforms.
Phase 3 (Week 4–5): Legacy cleanup. Retired 180 smart groups in Jamf. Audited every custom script we'd been running. About 30% were either broken or doing things we no longer needed. We ported 12 critical scripts to Kandji custom scripts; the rest we retired.
Phase 4 (Week 6): Jamf decommission. Final device count reconciliation, revoked Jamf licenses, archived the configuration as historical reference.
What the Numbers Looked Like
Six weeks out from project kickoff:
- 550 devices fully enrolled in Kandji with zero lost in migration
- Compliance reporting automated: what took 4 hours manually now runs as a scheduled Kandji report, emailed every Monday morning
- 12 active blueprints in Kandji vs. 200+ smart groups in Jamf
- $38k annual savings from Jamf license retirement
- Policy drift incidents dropped to zero (previously 2–3 per month from expired certificates)
The board presentation landed well. I showed them a single dashboard: every device, its compliance state, last check-in, OS version, and encryption status. Real-time. No spreadsheet.
What Came After
The Mac migration wrapped cleanly. The incident came later — several weeks after the migration was complete, when we enabled Okta Device Trust enforcement across the Windows fleet.
50 users couldn't authenticate on a Monday morning. Every one of them was on a Windows machine that had never received the required OS build, because the Intune update ring had a targeting gap we hadn't verified before enforcement went live. I had assumed the ring's runtime meant the build was delivered. It hadn't been.
That story — the investigation, the two-track response, and the automation I built so cleanup didn't require manual follow-up — is in Part 2.