Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Hexnode Integrations
  3. Directory services

Category filter

Microsoft Active Directory Integration with Hexnode

Jump To

Active directory domain services hold all directory information and take care of all the interactions between the user and domain. Any unauthorized user access to a device or a server can be verified using Microsoft Active Directory Integration. With Hexnode, you can manage multiple Active Directory domains from a single console.

Once you integrate Microsoft Active Directory with Hexnode, you will be able to see the users, user groups and subdomains of the linked domain. To integrate your Active Directory with Hexnode, you must first configure the Hexnode Cloud Broker (AD Agent) in your server.

Microsoft Active Directory can be integrated with Hexnode by:

  1. Configuring the Hexnode Cloud Broker (AD Agent).
  2. Configuring the SSL certificate when LDAPS is enabled in the Active Directory
    • Command Line Interface (CLI) method
    • Configure the SSL Certificate through Server Manager
  3. Configuring the Active Directory Settings
    • Server Configuration
    • Schedule Sync for Microsoft Active Directory
Note:


Hexnode requires certain IP ranges or domains to be allowlisted on your Firewall for Active Directory agent service.

  • Allowlist the public IP address of the Hexnode portal on TCP ports 8993 and 443. The public IP can be fetched using “https://portalname.hexnodemdm.com/get_portal_ip/”. Replace “portalname” with your actual portal name.
  • Allowlist the domains “hexnode.com” and “hexnodemdm.com”.
  • Create an outbound firewall rule to allowlist the Load Balancer IP on TCP port 443.

Hexnode Cloud Broker (AD Agent) Configuration

To configure a Hexnode Cloud Broker service on your server, click on Admin > Active Directory. This opens up the Agent Settings page when you first configure an Active Directory.

  1. Click on the Download link to download and install the Hexnode Cloud Broker (AD Agent) on your server.
  2. Click on the second Download link to download configuration file.

    3. Configuring Microsoft Active Directory integration with Hexnode MDM

  3. Launch the Hexnode Cloud Broker Setup Wizard. Click on Next to continue or Cancel to exit setup.

    4. Installation of Hexnode Cloud Broker on your Windows device

  4. Select the destination folder where Hexnode Cloud Broker will be installed. By default, the setup wizard will install the Hexnode Cloud Broker in the folder C:\Hexnode Cloud Broker

    5. Choose installation destination for Hexnode Cloud Broker on your Windows device

  5. Select the configuration file (hexnode_cloud_broker.config) downloaded in step 2. Click on Next.

    6. Choose the config file for setting up Hexnode Cloud Broker agent on your system

  6. Once you have uploaded the configuration file successfully, setup will prompt for confirmation to install Hexnode Cloud Broker on your computer. Click on Install.

    7. Finish setting up Hexnode Cloud Broker agent on your system

  7. Click on Finish to exit setup.

    8. Manage the Agent Settings for Microsoft Active Directory integration with Hexnode MDM

  8. On the Hexnode UEM console, click on “Check agent status” to verify if the agent is online. Then, select Configure AD to set up your Active Directory Settings.
  9. Enter the required details under Server Configuration of your Active Directory Settings.
  10. Once you complete the initial AD Agent setup, an Agent Settings section appears under the Admin tab. This section displays all the agents currently connected to your server.
    • Use the gear icon next to an agent to refresh or remove it.
    • To add additional agents, click the plus (+) icon and repeat the same installation steps used for setting up the initial AD Agent.

    This section makes it easy to view, delete, sync, and add multiple AD agents across your network.

Configuring the SSL certificate when LDAPS is enabled in the Active Directory

LDAPS (Lightweight Directory Access Protocol Safe) is a protocol used to securely connect and access a directory over a network. It ensures a secure connection between the client and the directory server. When LDAPS is enabled in the Active Directory, the admin must upload an SSL certificate to the Hexnode portal. The SSL certificate encrypts the transmitted data and also authenticates the LDAP server. SSL certificates can be obtained by executing a few commands or by configuring the certificates manually through Server Manager. The following are the instructions for each approach.

Command Line Interface (CLI) method

In organizations managing multiple servers, obtaining and configuring the SSL certificates individually is a tedious and inefficient process. Administrators can simplify this by using the following CLI commands to retrieve and encode SSL certificates directly across devices. These commands can be executed on Command Prompt or on the Terminal of the AD Server. The retrieved certificate is stored in the directory where the commands are executed.

Configure the SSL Certificate through Server Manager

SSL certificates can be manually configured and uploaded to each server. This method can be used in organizations managing a limited number of servers. These SSL certificates can be configured through Server Manager as follows.

  1. Access Server Manager > Tools > Certification Authority.

    2. Certification Authority under Tools is selected

  2. Navigate to Issued Certificates and click on the certificate listed.

    3. The certificate listed under Issues certificates is selected

  3. Navigate to Certification path. Click on the parent certificate and click on View certificate.

    4. The parent certificate under Certification Path is selected

  4. Navigate to Details and click on Copy to File.

    5. The certificate details are copied to the file

  5. The Certificate Export Wizard opens and click on Next.

    6. Certificate Export Wizard opens up

  6. Select the file format as Base-64 encoded X.509 (.CER). Click on Next.

    7. The file format is selected as Base-64 encoded X.509 (.CER)

  7. Choose the file path. Click on Next. Click on Finish.
  8. This certificate can be uploaded as the SSL certificate in Server Configuration under Active Directory by browsing it from the selected file path.

Active Directory Settings

Active Directory Settings include configuring the server and scheduling sync. These settings can be accessed under Admin > Active Directory.

Server Configuration

The following settings can be configured for your newly added domain:

  1. Domain Name – Enter the Active Directory Domain Name, which can be the same as the organization’s public domain name, sub-domain or any alternate names that may end in .local.
  2. Domain Controller – Enter the Domain Controller Name.
  3. Port – In case LDAPS is enabled, use Port 636(This port is set as default for LDAPS communication). In the case of LDAP, use the default Port 389. Conversely, you can use the port configured by the admin.
  4. Domain\Username – Enter the Domain Name and Username in the format NetBiosName\SAMAccountName.
  5. Password – Enter the password.
  6. Use SSL ( if LDAPS is enabled) – Enable the ‘Use SSL’ option and upload the SSL certificate here.
  7. Select Agent – Select the AD Agent name from the drop-down list. Click on Add New Agent to add a new agent.
  8. Selected OUs – By default, all the OUs in the domain will be selected. You can click on Change to select the specific OU you want.
  9. Allow Self Enroll – If enabled, users can self-enroll their devices using their Active Directory credentials.

Schedule Sync for Microsoft Active Directory

The Active Directory domain sync frequency, with Hexnode UEM, can be configured. You can schedule daily or weekly sync, select the days of the week and choose the time of the day the sync must occur.

On clicking Save, your Active Directory will be synced with Hexnode UEM databases.

Configuring the Active Directory settings for LDAPS

To integrate a new Active Directory domain with Hexnode UEM, navigate to Admin > Active Directory, click on the empty slot with the + sign and configure the Server Configuration settings.

Microsoft AD integration MDM

Data fetched from AD

Once the integration is successful, the admin can see the users and user groups under the Manage tab.

Users synced from Active Directory to Hexnode after integration.

In addition, the Directory Services sub-tab under the Manage tab will have the linked domains listed. This sub-tab displays the recent actions performed on the domain. The admin can also perform actions on the domain here.

Details of domain(s) synced from Active Directory to Hexnode after integration

Check AD Server Status

Navigate to Enroll > All Enrollments > Enterprise > Active Directory. The configured AD domains will be listed here. The gear icon under each domain presents three options:

  • Sync Now: Sync domain with Hexnode UEM.
  • Disable Self Enroll.
  • Delete Domain.

The same options can be accessed from the list of configured domains under Admin > Active Directory.

Delete AD domain

Hexnode UEM lets users remove their Active Directory domain from the portal with ease.

  1. Navigate to Admin > Active Directory. Under the configured domains, click on the gear icon of the AD domain to delete.

    2. Delete Domain option for an Active Directory account in Hexnode UEM

  2. During the deletion process, the administrator is provided with two options.
    • Disenroll device(s)
    • Assign to a new user
    1. Disenroll device(s) option removes the Active Directory domain from the portal and disenrolls all devices enrolled under the domain.
      • Pre-approved devices will also be deleted from the portal.
      • The admin is then required to specify the number of users that will be deleted under the domain and click on the Remove button to complete the process.

      2. Disenroll device(s) option to disenroll all devices under an Active Directory account

    2. Assign to a new user option lets the admin assign all devices under the domain to a new user. All existing restrictions/configurations and apps associated with the old user will be removed from the respective device(s).

      Assign to a new user option to assign all devices under an Active Directory account to a new user

      • After specifying the number of users that will be deleted, click on the Remove button, which will open a dialogue box to assign device(s) to a new user.
        • Note:

        • If the Required Apps policy is configured on the new user, devices that do not support silent app installation/uninstallation will prompt the user to install/uninstall an app.

        Change device owner option to choose a new user to assign all devices under an Active Directory account

      • Select the domain and choose the user to assign the devices.
      • Toggle the Delete Old User’s Location History checkbox to delete the location history of old users. Click on the Assign button to complete the process.
    3. Notes:

    • If the “Remove apps from the device on policy removal” option at Policies > Android Settings/iOS Settings > App Management > Required Apps is checked, required apps associated with the old user will be removed and required apps associated with the new user will be installed on the device.
    • If the required app(s) is already installed on the device and is associated with both old and new users, then those apps will be re-installed on the device.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Hexnode Integrations