HexCon is coming to NYC. Catch the early-bird price before the time's up! Book me a spot

Web apps: Authenticating hexnode devices for web appsSolved

Participant
Discussion
1 year ago

To detect whether a hexnode device is viewing a web app we can use URL parameter wildcards which inject device variables like so:
https://www.hexnode.com/mobile-device-management/help/pass-device-information-from-hexnode-to-the-web-apps-added-in-the-device-through-wildcards-faqs/

For example, we could use the wildcard to check against the UDID of a device to determine if a client is a hexnode device and its location. But what if the UDID was to be leaked, anyone could just enter the UDID string and access the web app as that device.

My question is what ways can we authenticate hexnode devices on web apps securely? (preferably without user intervention)

Thanks!

Replies (3)

Marked SolutionPending Review
Hexnode Expert
1 year ago
Marked SolutionPending Review

Hey @jim-johnston,

Although I am not the intended recipient of your gratitude, I must say, it still made my day.

Chloe is on vacation right now, and unable to receive your gratitude directly. But I promise to promptly relay the message to her.

In the meantime, if you have any more questions or need further assistance, you can always reach out to us.

Best Regards,
Audrey Black
Hexnode UEM

Marked SolutionPending Review
Participant
1 year ago
Marked SolutionPending Review

Thanks Chloe, that clears up a lot for me!

I think I could generate a secret key that changes at some interval and use the API to set this key as a device attribute under the asset tag (like you have in your example).

https://www.hexnode.com/mobile-device-management/developers/actions/edit-device-attribute/

Cool stuff!

Thanks for your help

Marked SolutionPending Review
Hexnode Expert
1 year ago
Marked SolutionPending Review

Hello @jim-johnston, welcome to Hexnode Community!

Yes, you’re right. UDID or any such device information does stand the chance of getting leaked. Maybe you could try a combination of device information, like, say, Device ID, Serial Number and IMEI number? (http://example.com/%deviceid%/%serialnumber%/%devicename%/%imei%)

I know it isn’t ideal and doesn’t guarantee secure authentication, but we do not have a feasible solution for it as yet. You could create a combination known only to Hexnode admins and keep changing it regularly to reduce the chances of unsolicited access to the web app. For instance, http://example.com/%deviceid%/%serialnumber%/%devicename%/%imei%/%assettag% is one of the many possible combinations.

Please get back to us in case of further queries.

Regards,
Chloe Edison
Hexnode UEM