If you use Kandji, you might find yourself in a situation where you want to hide Kandji Self Service. Unfortunately, Kandji doesn’t let you disable Self Service, but you can still (mostly) hide Self Service from your end users.

chflags lends a hand

chflags is a macOS utility for setting flags on files. There are a couple of flags1 to choose from, but the one we are interested in is called hidden. This attribute, when set on a file, means it doesn’t show up in the Finder by default (and also then not in the Launchpad). If you want to use chflags to add the hidden attribute to Kandji Self Service, simply run the following:

sudo chflags hidden /Applications/Kandji\ Self\ Service.app

Note that sudo is required here.

When to hide Kandji Self Service

The Kandji agent is automatically updated by Kandji, on a relatively frequent schedule. These updates will likely reset the flags on the Self Service application bundle, so you should implement a method for making sure Self Service stays hidden. You can do this with Munki (using an installcheck_script2), or with Kandji (using an Audit script3).

Only a few utilities actually can read and respect the flags set by chflags, but fortunately one of them is the ubiquitous ls command. To get the flags (and some other information) for a file, you can use the following:

$ ls -lOd /Applications/Kandji\ Self\ Service.app
drwxr-xr-x  3 root  admin  - 96 Feb  4 14:46 /Applications/Kandji Self Service.app

Any set flags will appear immediately following the group field (in the above example, admin). If no flags are set, a hyphen is shown (as above).

We can use awk and grep to turn this into a condition that can be used with installcheck_scripts, and Audit scripts:

# Returns non-zero exit code if hidden is set
# returns without error if hidden is not set
[[ ! $(ls -lOd /Applications/Kandji\ Self\ Service.app | awk '{ print $5 }' | grep hidden) ]]

Note that the example above is valid for a Munki installcheck_script, as it returns 0 when Munki needs to trigger the action. For a Kandji Audit script, a non-zero exit code is required to trigger the remediation script, so the ! (boolean NOT operator) should be removed when using this example with Kandji.

I hope to write a couple more of these short posts about little things I’ve run into. Send me an email if you have questions or feedback!