Connect
Ask Community
Ask the community
Ask Community
  • Home
  • General
  • How can we enforce role-based access using geofencing and AD attributes in Hexnode?

How can we enforce role-based access using geofencing and AD attributes in Hexnode?Solved

Profile photo of bram
bram
Participant
Discussion
Hexnode UEM
3 days ago May 01, 2026

Hey everyone, 

We were setting up corporate devices for our IT team and ran into a bit of a design challenge. We wanted certain roles (like system admins) to have elevated access only when they’re physically inside our data center.Initially, we tried static grouping, but it quickly became messy when people changed roles or moved between locations. 

Is there a way in Hexnode to dynamically control access based on both user role (from AD) and their physical location? Ideally something that updates automatically without us having to constantly reassign devices. 

topic view count 12 Views
Reply

Replies (1)

Marked SolutionPending Review
Profile photo of mary_romero Hexnode Expert image
mary_romero
Hexnode Expert
2 days ago May 01, 2026
Marked SolutionPending Review

Thanks for raising this query! 

What you’re trying to achieve is absolutely possible using Hexnode’s dual-group dynamic workflow, which combines directory attributes with geofencing. 

Instead of relying on static assignments, you can build logic around two continuously evaluated conditions: 

  • The user’s role (synced from AD/IdP, such as Title or Office Location) 

  • The device’s real-time location (via geofences) 

Here’s how this works in practice: 

You create a geofence that represents your authorized location (for example, your data center). Then, you define two dynamic device groups: 

  1. An “Inside” group that includes devices when: 

  • The user matches a specific AD attribute (e.g., Title = Senior System Administrator) 

  • AND the device is inside the geofence 

  1. An “Outside” group that includes the same users but when: 

  • The device is outside that geofence 

This creates a clean “if/then” transition model. As the user moves in or out of the defined boundary, their device automatically shifts between these groups. 

You can then associate: 

  • high-privilege policy with the Inside group (e.g., admin tools, internal access) 

  • restricted policy with the Outside group (e.g., blocklisted tools, tighter controls) 

The key advantage here is that everything is identity-aware and self-updating. If HR updates a user’s role in AD, the next directory sync ensures that the correct policies apply without manual intervention. 

Please do reach out if you have more queries. 

Regards, 
Mary Romero  

 

 

 

Load more
Save
Related Topics

Leaderboard

Profile photo of bram Champion image
bram
2765 pts
Profile photo of timo-liam Champion image
timo-liam
1805 pts
Profile photo of eliiza Champion image
eliiza
1742 pts
Profile photo of leo_scott Champion image
leo_scott
1732 pts
Profile photo of carter Champion image
carter
1660 pts
View all

Popular Tags

ABM (59)
Android (513)
iOS (386)
macOS (501)
Windows (365)
Apple TV (33)
App Management (400)
Enrollment (126)
Location (33)
Kiosk (248)
Scripts (96)
ADE (55)
OS Updates (82)
Android Enterprise (150)
View all