Kandji module · weave

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

Kandji API

Variable	Description	Status
KANDJI_SUBDOMAIN	Required for authentication.	required
KANDJI_API_TOKEN	Required for authentication.	required

Sanity-check the wiring:

weave secrets check
weave kandji --help
weave doctor   # reports KANDJI_SUBDOMAIN status

Capabilities

What this module can do, by entity and verb. ✓ means a working CLI surface; · means not (yet) wired.

Entity	find	list	show	do	snapshot	diff	apply
blueprint	·	✓	·	·	·	·	·
device	✓	✓	·	✓	✓	✓	✓

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

find (1)

find device

read

Find a device by serial number or Kandji device id.

weave kandji find device <identifier>

list (2)

list blueprints

read

List blueprints.

weave kandji list blueprints <arg>

list devices

read

List enrolled devices.

weave kandji list devices <arg>

do (3)

do erase

write

Erase a device (irreversible).

weave kandji do erase <device-id>

do lock

write

Lock a device (macOS devices return a lock PIN).

weave kandji do lock <device-id>

do renew-mdm

write

Renew the MDM profile on a device.

weave kandji do renew-mdm <device-id>

snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diff → apply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/kandji/.

This module is on the thinner integration path — use snapshot / diff for audit; confirm apply per kind below before relying on writes.

devices

snapshot diff apply

Kandji devices — blueprint_id/asset_tag apply via PATCH; other fields read-only.

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: kandji
kind: devices
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

Devices audit

Snapshot and diff devices.

weave kandji snapshot devices
$EDITOR .weave-state/kandji/devices.yaml
weave kandji diff devices
weave kandji apply devices

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource	weave equivalent
kandji_devices	weave kandji snapshot/diff/apply devices Snapshot/diff for audit; confirm apply on the module page.

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including KANDJI_SUBDOMAIN) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave kandji diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/kandji. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.