Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Security Posture & Compliance

Category filter

Strategic Architecture: Break Glass Account Management in Hexnode UEM

Jump To

Summary: The “Emergency Override” Logic

In a Unified Endpoint Management (UEM) environment, Break-Glass Accounts (Emergency Access Accounts) are highly privileged local accounts designed to bypass standard security controls—such as Single Sign-On (SSO) and External Identity Provider (IdP) dependencies—during critical failures.

As enterprises increasingly rely on cloud-based IdPs (Okta, Entra ID, Google Workspace) for portal access, a break-glass strategy ensures that IT leadership retains fleet management capabilities even if the primary identity infrastructure suffers a global outage or a security breach.

Technical Framework: Hexnode Implementation

Hexnode simplifies break-glass management through its Technician and Roles architecture, allowing for the creation of accounts that exist independently of corporate directory syncs.

Local vs. SSO-Based Technicians

To be an effective fail-safe, a break-glass account must be a Local Technician.

  • Path: Admin > Technicians and Roles > Add Technician.
  • Credential Source: Select Local Password and ensure the account is excluded from Global SSO Login Settings.
  • Privilege Level: Assign the Admin role to secondary break-glass accounts. (Note: The unique Super Admin account should also remain local as the primary recovery path).

The “Active-Standby” Paradox

To be a true fail-safe, the Break-Glass path must be Active (Enabled) at all times. Because Hexnode allows only one Super Admin, you must maintain a hierarchy that ensures access even if the Super Admin is unavailable.

Account Identity Status Connection Type Security Layer
The Super Admin Always Active Local Only Password + MFA (Physical Safe)
Emergency Admin Always Active Local Only Vaulted Credentials / Different Safe
Standard Admins Active/Inactive SSO Federated Corporate Identity (Entra ID/Okta)

Governance and Security Controls

Because break-glass accounts possess “High-Privilege” access, they must be governed by strict Zero-Trust principles.

  • Account State: Enabled (Active). Ensuring the account is work-ready the moment the safe is opened, bypassing the need for another admin to activate it.
  • Credential Storage: Use a Split-Password strategy: Half stored by the CISO, half by the CTO in a physical safe.
  • Immediate Visibility: Configure Technician Login Reports or automated notifications to track and alert stakeholders the moment an emergency login occurs.
  • Audit Integrity: Use Hexnode’s Activity Feed (Action History) to log every remote wipe, policy change, or enrollment performed during the emergency.

Emergency Use Cases (When to “Break the Glass”)

  • IdP Outage: Your primary SSO provider is offline globally.
  • MFA Failure: A secondary authentication service is experiencing service degradation.
  • Global Admin Lockout: An accidental policy change (e.g., IP restriction) has blocked all standard admin access.
  • Cybersecurity Incident: The primary identity directory is compromised, requiring the isolation of the UEM portal.

Resilience Checklist: Quarterly Maintenance

To ensure your break-glass strategy is functional, IT teams should conduct a DR (Disaster Recovery) Drill every 90 days:

  • Verify Password: Ensure local credentials have not expired or been corrupted.
  • Physical Custody Check: Confirm that the physical safe contains the correct password and 2FA Recovery Codes.
  • Update Admin Contacts: Ensure the notification list for emergency logins is updated with current executive email addresses.

How Hexnode Simplifies Emergency Management

Hexnode provides a robust framework to build emergency access through:

  • Granular RBAC: Create Custom Technician Roles that serve as dedicated emergency accounts with scoped access to specific domains or device groups.
  • SSO and MFA Bypass: Local accounts can be configured to ignore global SSO mandates, ensuring a direct login path during third-party outages.
  • Immediate Management: Speed is critical; Hexnode allows for instant Session Termination of all other accounts if a breach is suspected.
  • Multi-Tenant Advantage: For MSPs, the Super Admin of the parent portal acts as the ultimate authority, able to assist sub-tenants who have locked themselves out of their portals.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework