How to schedule deployment on devices enrolled in Hexnode

The Automations feature in Hexnode UEM provides a streamlined solution for automating the deployment of files, certificates, custom scripts, device restrictions, and updates to managed devices. This feature stands out with its scheduling capability, allowing automation actions to be initiated at designated times or triggered at device enrollment.

Though “automation” might seem similar to “policies” in terms of functionality, it differs with regards to flexibility.

The Automate tab is designed for automating the scheduling and execution of various operations on devices, while the Policy tab enables administrators to create and manage individual policy settings that can be applied directly to devices.

This guide walks you through the steps to create, schedule, and manage automations within Hexnode UEM. Follow these instructions to efficiently automate and customize your device management processes.

Steps to create an automation

Follow the below steps to create an automation to instantly apply policies to a group of devices.

1. Navigate to Automate > New Automation.

   

2. Choose the platform for which you want to create the automation.

   

   Basics

   Provide the following information after selecting the platform.

   1. Name: Enter a name for the automation.
   2. Description: Provide a brief description to clarify the automation intent or scope (optional).

      

3. Click Next.
   Actions

   Before proceeding with the automation process, let’s understand what “Actions” in the automation correspond to:

   “Actions” in the Automate tab vs. “Remote actions”

   • Remote actions: Available in the Manage tab, remote actions are commands that perform a pre-defined operation instantaneously on devices. For example, device wipe, scan location, etc. They are one-time actions that you are required to initiate every time you need to get something done with the enrolled device.
   • Actions in the automation feature: Actions in the automation feature specify the tasks or operations that will be executed as part of the automation process. For instance, choosing specific policies to be associated with/removed from devices, users, or groups. The configured “Settings and Schedule” will act on these operations defined here.

   Under the Actions section, you have the following automation options:

   Patches and Updates – Auto

   Automatic patching streamlines the process of keeping Windows and macOS devices secure and compliant by ensuring timely updates with minimal manual intervention. It’s especially beneficial for organizations with strict security mandates or large device fleets. IT admins can configure automated update rules to control when and how patches are applied.

   1. How to configure automatic patching on Windows devices.
   2. How to configure automatic patching on macOS devices.

   Patches and Updates – Manual

   Manual patching gives IT admins the flexibility to apply only the necessary updates based on specific organizational needs. Whether managing Windows or macOS devices, this method is ideal for environments where software compatibility is critical, such as those using legacy systems or custom applications. Manual patching allows admins to filter available updates by category and identify which ones need to be installed on devices.

   1. How to configure manual patching on Windows devices.
   2. How to configure manual patching on macOS devices.

   Bulk actions

   All actions that can be automated, other than patches and updates, are categorized as bulk actions. This category includes the following actions:

   Policy

   Currently, there are two options to automate under the Policy section. You can either Associate Policy (to apply a policy to the devices) or Remove Policy (to remove a policy from the devices). Only one policy can be selected at a time for either option, but additional policies can be added by selecting Add New Action.

   

   Scripts

   The Scripts section allows you to automatically deploy custom scripts on macOS and Windows devices. To schedule a script, select the Execute Custom Script option and choose the desired script from the Hexnode content repository. If required, you can use the Arguments field to specify script inputs. This field also supports wildcards. Once you’ve configured the script, click Add to finalize the action.

   

   Notes:

   • For macOS, script automation is supported on devices running macOS 10.11 or later and requires the Hexnode Agent app version 1.2 or above.
   • For Windows, it is supported on Windows 10 and 11 (Pro, Enterprise, and Education editions) with Hexnode Agent version 4.2.2 or later installed.
   • It is recommended to validate the script execution manually on a system before executing in bulk.

   Scans

   The Scans section provides the following actions:

   1. Scan Device: This action retrieves basic details of the enrolled devices, such as battery percentage, installed apps, and device information. These details are then updated in the Hexnode UEM console.
   2. Sync Local Accounts: This action synchronizes user accounts with the Hexnode UEM console to retrieve detailed information about each account.
   3. Scan Device Location: This action fetches the real-time location of the device. It can only be performed if a location tracking policy is applied to the device.

      

      Notes:

      • Scan Device is available across all platforms.
      • Sync Local Accounts is available only for Windows and macOS devices. The action requires the latest version of the Hexnode UEM app to be installed on the device.
      • Scan Device Location is available for all platforms, except Apple TV.

   Alerts

   In the Alerts section, you can send custom messages to end-user devices, with the option to include wildcards that display device or user details within the message. The Alerts action is not available for Apple TV.

   

   Device Controls

   This section includes basic device control actions such as:

   1. Power Off: Allows the admin to remotely shut down devices.
   2. Restart Device: Allows the admin to remotely restart devices.
   3. Lock Device: Lets the admin lock devices so only those with the device password can unlock them.
   4. Enable Lost Mode: Locks down the device and tracks its location, ensuring it can’t be used if lost or stolen, and aids in quicker recovery.
   5. Disable Lost Mode: Once the device is retrieved, the admin can disable Lost Mode and return the device to normal functionality.
   Notes:
   • All five device control actions are available for Android, iOS, and Windows platforms.
   • macOS supports only Power Off, Restart Device, and Lock Device actions.
   • Apple TV supports only the Restart Device action.

   User Controls

   This section enables the creation of both admin and standard accounts remotely from the Hexnode UEM console using the automate feature.

   Note:

   
   The User Controls action is supported on Windows and macOS platforms. For more details, refer to the help documents on Windows user account creation and macOS user account creation.

   Device Encryptions (for Windows devices)

   This action allows you to configure the automatic rotation and escrowing of recovery passwords for the operating system drive and all other drives. The available options to configure are:

   1. Rotate recovery password for all drives: Selecting this option will automatically rotate and escrow the recovery password for all drives.
   2. Rotate recovery password for specific drives: Enter the names of the drives whose recovery passwords should be automatically rotated and escrowed. Use commas to separate multiple drive names.

4. Once the actions are selected, click Next.
   Settings and Schedule

   Configure the automation scheduling and related settings here. You can trigger the action based on two criteria:

   Time:
   You can define the exact time when the action will be executed on the device.

   1. Initiate: You can configure the action initiation frequency. Choose between three options: Once, ASAP (instant action triggering will happen), Once or Repeat on a set schedule.
   2. Scheduled Date: Set the action initiation date in MM/DD/YYYY format (for the Once option).

      

   3. Scheduled Day: Specify the day for action initiation (for Repeat at a set schedule option). Three sub-options available:
      1. Everyday: The action will trigger daily.
      2. Selected days: Select specific days of the week for the action to trigger.
      3. Monthly: Specify the day of the month for action initiation, such as the 10th of every month.

      

   4. Scheduled Time: Set the time on which the action should take place on the devices, in HH/MM format and you can select the time zone also.

   Activity: Define the device activity that will trigger the action on the device. You can select from the following four activity types:

   1. On Device Enrollment: Triggers the action when the device is enrolled. The automation action will be applied only to newly enrolled devices after their initial device scan.
   2. On SIM Insertion: Triggers the action upon the insertion of a SIM card on the device.
   3. On SIM Removal: Triggers the action when a SIM card is removed from the device.
   4. On SIM Switch: Triggers the action when a SIM card is replaced with a different one.
   5. On Device Compliance: Triggers the action when the device is compliant.
   6. On Device Non-Compliance: Triggers the action when the device is non-compliant.
   7. On Location Compliance: Triggers the action when the device is location compliant.
   8. On Location Non-Compliance: Triggers the action when the device is not location compliant.

   

5. Once you have configured the Settings and Schedule, click Next. On the following page, you can define the target filters.
   Target Filters

   Configure target filters in this section. You can specify options for Included groups, Excluded groups, and create custom filters by selecting the Filters option.

   1. Included groups: Select device or user groups to which the action will apply. Click Add Groups to view and choose from the available device and user groups in your Hexnode UEM portal.
   2. Excluded groups: Choose device or user groups to be excluded from the action automation. Click Add Groups to display the available groups for exclusion.

      

   3. Filters: Create custom filters based on the following categories:
      1. Device: This category encompasses various attributes specific to the device being managed.
      2. User: This category includes attributes related to the users who are using the devices.
      3. Network: This category relates to network attributes associated with the devices.
      4. Device Status: This category provides attributes associated with the compliance and operational status of the devices.

   To configure filters, set the following fields:

   1. Select Column: Choose the category used for filtering. Once selected, the relevant sub-categories will be displayed under this dropdown.
   2. Select Comparator: Define the comparison method.
   3. Select value: Set the specific value for filtering.

   Below is a list of available filter categories and their corresponding sub-categories:

   Main category	Sub- categories
   Device	Apple DEP Asset tag Available internal storage Battery level BitLocker Policy Compliance Department Device ID Device model Device notes Device type Encryption Status Enrolled time Enterprise Management Type Installed RAM Last checked-in time Manufacturer MEID OS name OS version Ownership Platform Processor name Serial number Supervision Total internal storage TPM version UDID Used internal storage
   User	Alternate email Department (AD) Domain name Email Office location (AD) sAMAccountName Title (AD) User type Username
   Network	Bluetooth MAC address Current carrier network SIM 1 Current carrier network SIM 2 Current MCC Current MNC Ethernet IP Address Ethernet MAC address Home carrier Home country ICCID SIM 1 ICCID SIM 2 IMEI SIM 1 IMEI SIM 2 IMSI International data roaming Last connection date Personal Hotspot Phone number SIM 1 Phone number SIM 2 Roaming enabled SIM carrier network Subscriber carrier network (iOS) Subscriber MCC Subscriber MNC Wi-Fi IP Address Wi-Fi MAC address Wi-Fi SSID
   Device Status	Activity status Application compliance status Compliance status Enrollment status Geofence compliance status Jailbroken Kiosk mode Lost mode MDM profile Password compliance status Rooted

   1. After selecting the desired sub-category, a comparator must be chosen.
      Note:

      
      The available comparators vary depending on the selected sub-category.

      For example, if Apple DEP is chosen as the sub-category, the available comparators are Is and Is not.

      

   2. After selecting the comparator, the value for comparison must be chosen or entered.

      In the case of the Apple DEP sub-category, the available options are Disabled and Enabled.

      

   Notes:
   1. You can add nested filters using the ‘+’ icon along with the AND operator. To remove a filter, simply click the trash icon next to the ‘+’ icon.

      

   2. When dealing with multiple filters, there are two available operator options: “AND” and “OR.”

      

   3. Choosing AND means that devices must meet the criteria set by all the filters. On the other hand, selecting OR allows the action to apply to devices that meet at least one of the criteria from the filters.

6. After setting the filters, click Next.
   Review

   The next page leads to the Review section, where the configured automation settings can be viewed. If any adjustments are needed, click the Edit option to access the corresponding section and make changes as necessary.

   

7. Once you have reviewed the automation, click Save.

Automate tab overview

After successfully creating an automation, you can easily monitor and manage it through the Automate tab. The Automate tab consists of the following sections:

• Active Automations
• Archives
• Activity Feed

Active Automations

The created automations will be displayed in the Active Automations section on the home screen of the Automate tab. This section provides details such as the name, version, platform, creation date, status, and last status update for each automation.

Also, there are options to Archive, Pause, Resume and Delete the automations. To perform any of these, select the desired automation and click on Actions.

Archives

Archived automations can be found in the Archives section, which shows the automation name, version, and archived time. From this section, automations can be deleted or restored.

Activity Feed

Detailed information about each automation can be viewed in the Activity Feed, including the automation name, version, activity type, and the time when the activity occurred.

To view specific automation details, select the desired automation and navigate to the Reports section. Here, you can see device-specific details related to the automation, such as the device name, platform, action, version, initiation time, completion time, and the automation status. You can also export and download the report in either PDF or CSV format from this section.

By following the outlined steps, you can streamline the automation process to meet your organization’s needs, allowing you to create an automation that instantly automates the deployment of a file, certificate, custom script, or an update to a group of devices or group of users.