diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/kandji.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/kandji.mdx
index 2bd8c88f03cebc..37e66b27d64339 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/kandji.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/kandji.mdx
@@ -233,3 +233,7 @@ fi
 
 exit 0
 ```
+
+## TLS decryption
+
+The Kandji macOS agent uses certificate pinning, which is incompatible with [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/). If Gateway TLS decryption is [turned on](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#turn-on-tls-decryption), you must create a [Do Not Inspect policy](/cloudflare-one/policies/gateway/http-policies/common-policies/#skip-inspection-for-groups-of-applications) to exempt Kandji from SSL/TLS inspection. For more information, refer to the [Kandji documentation](https://support.kandji.io/kb/using-kandji-on-enterprise-networks#SSL/TLS-Inspection).
\ No newline at end of file