Hexnode UEM Network Orchestration: Automating Global Connectivity at Scale

Automating Connectivity and Access Control at Scale (500,000 Endpoints)

1. Executive Summary

Connectivity is the lifeblood of management. If a device cannot connect to the network, it cannot be managed. For a fleet of 500,000 devices, manually entering Wi-Fi passwords or trusting users to activate VPNs is a security failure.

Hexnode Network Access Control (NAC) Orchestration ensures that every device is automatically configured with the correct air-gapped connectivity settings. This document details the technical setup for 802.1X authentication and Always-on VPN tunneling to enforce a Zero Trust network model across 50 global sub-companies.

2. Enterprise Wi-Fi (802.1X)

Hexnode eliminates shared passwords (PSK) in favor of identity-based authentication. We use WPA2/WPA3 Enterprise to ensure that only managed, trusted devices can join the corporate network.

The Technical Payload

Instead of a simple password, Hexnode deploys a complex “Connectivity Bundle” to the device:

• Root CA Trust: Installs the organization’s Root Certificate so the device trusts the RADIUS server.
• Identity Certificate (SCEP): Hexnode dynamically requests a unique user/device certificate from your CA and installs it in the device keystore.
• Wi-Fi Configuration:
  • SSID: [Hidden or Broadcast]
  • Security Type: WPA2/WPA3 Enterprise (EAP-TLS or PEAP).
  • Protocols: Auto-selects TLS 1.2/1.3 for handshake encryption.

Dynamic Regional Assignment

Using Hierarchical Smart Groups, Hexnode ensures zero SSID pollution. A device does not need the “Tokyo Office” SSID if it is located in London.

• Logic: IF Location == “UK-London” THEN Install Profile “Wi-Fi_LON_Corp”
• Result: When a London employee travels to New York, Hexnode detects the geo-IP change and automatically deploys the “Wi-Fi_NYC_Corp” profile, ensuring seamless roaming without user ticket generation.

3. VPN Orchestration (The “Always-On” Tunnel)

For a massive remote workforce, the VPN must be invisible and resilient. We deploy two distinct tunneling strategies based on user role and device type.

Strategy A: Always-On VPN (IKEv2 / AnyConnect)

• Target: Corporate Laptops (Windows/macOS) & Fully Managed Mobile Devices.
• The Logic: The VPN tunnel is established at the System Level (Boot-up), often before the user even logs in.
• Hexnode Configuration:
  • Protocol: IKEv2 (Native) or Cisco AnyConnect (via App Config).
  • Lockdown Mode: “Block network traffic until VPN connects.” This ensures no data packet ever leaves the device unencrypted.
  • Strategic Benefit: It ensures the MQTT Management Socket is active even on hostile public Wi-Fi, allowing IT to send “Remote Wipe” commands instantly, even if the user hasn’t launched a VPN app.

Strategy B: Per-App VPN

• Target: BYOD / COPE Devices.
• The Logic: We do not tunnel the entire device (which would route Netflix/YouTube traffic through corporate servers). Instead, we tunnel only specific managed apps.
• Hexnode Configuration:
  • Packet Tunnel Provider: The VPN triggers only when the user opens specific binaries (e.g., com.sap.fiori, com.salesforce.app).
  • Bandwidth Optimization: This drastically reduces bandwidth costs on your Dedicated Connectivity by offloading personal traffic to the local internet.

4. Implementation Checklist

1. Certificate Authority: Configure SCEP forwarding in Hexnode to issue unique Wi-Fi certificates.
2. Global Wi-Fi Profiles: Define the WPA2-Enterprise payloads for primary corporate hubs (US/EU/APAC).
3. VPN Gateways: Configure IKEv2 settings and upload the specific VPN vendor XML profiles.
4. Per-App Mapping: Identify the list of “Intranet-Only” apps and map them to the Per-App VPN profile.