Category filter

How to automate device management tasks in Hexnode?

The Automations feature in Hexnode UEM provides a streamlined solution for automating the deployment of files, certificates, custom scripts, device restrictions, and updates to managed devices. This feature stands out with its scheduling capability, allowing automation actions to be initiated at designated times or triggered at device enrollment.

Though “automation” might seem similar to “policies” in terms of functionality, it differs with regards to flexibility.

The Automate tab is designed for automating the scheduling and execution of various operations on devices, while the Policy tab enables administrators to create and manage individual policy settings that can be applied directly to devices.

This guide walks you through the steps to create, schedule, and manage automations within Hexnode UEM. Follow these instructions to efficiently automate and customize your device management processes.

Note:


The Automations feature is supported on Android, iOS, Windows, macOS, Linux, and tvOS devices.

Steps to create an automation

Follow the below steps to create an automation to instantly apply policies to a group of devices.

  1. Navigate to Automate > New Automation.

    Option to create new automation to automate device management tasks

  2. Choose the platform for which you want to create the automation.

    Choose the platform to automate device management tasks

    Actions

    After selecting the platform, click on the Edit icon next to the Untitled Automation and provide the following information to rename the automation profile.

    1. Automation Name: Enter a name for the automation.
    2. Description: Provide a brief description to clarify the automation intent or scope (optional).

    Once the details are provided, click Save.
    Options to fill in the automation profile details

    Before proceeding with the automation process, let’s understand what “Actions” in the automation correspond to:

    “Actions” in the Automate tab vs. “Remote actions”
    • Remote actions: Available in the Manage tab, remote actions are commands that perform a pre-defined operation instantaneously on devices. For example, device wipe, scan location, etc. They are one-time actions that you are required to initiate every time you need to get something done with the enrolled device.
    • Actions in the automation feature: Actions in the automation feature specify the tasks or operations that will be executed as part of the automation process. For instance, choosing specific policies to be associated with/removed from devices, users, or groups. The configured “Settings and Schedule” will act on these operations defined here.

    Under the Actions section, you have the following actions to automate:

    Patches and Updates

    1. Auto Patch
    2. Automatic patching streamlines the process of keeping Windows and macOS devices secure and compliant by ensuring timely updates with minimal manual intervention. It’s especially beneficial for organizations with strict security mandates or large device fleets. IT admins can configure automated update rules to control when and how patches are applied.

      1. How to configure automatic patching on Windows devices.
      2. How to configure automatic patching on macOS devices.
    3. Manual Patch

    Manual patching gives IT admins the flexibility to apply only the necessary updates based on specific organizational needs. Whether managing Windows or macOS devices, this method is ideal for environments where software compatibility is critical, such as those using legacy systems or custom applications. Manual patching allows admins to filter available updates by category and identify which ones need to be installed on devices.

    1. How to configure manual patching on Windows devices.
    2. How to configure manual patching on macOS devices.

    Patches and Updates action to automate device management tasks.

    App Distribution

    The App Distribution option enables seamless deployment of applications to Windows and macOS devices, while allowing you to customize and configure installation settings. It supports store apps (Windows) and enterprise apps (both Windows and macOS), giving IT admins full control over the deployment flow, including scripting, return code handling, installation sequence, support packages, and validation checks.

    App Distribution action in Automate tab

    Policy

    Currently, there are two options to automate under the Policy section. You can either Associate Policy (to apply a policy to the devices) or Remove Policy (to remove a policy from the devices). Only one policy can be selected at a time for either option, but additional policies can be added by selecting Add New Action.

    Policy action in Automate tab to associate and remove policy

    Scripts

    The Scripts section allows you to automatically deploy custom scripts on macOS, Windows and Linux devices. To schedule a script, select the Execute Custom Script option and choose the desired script from the Hexnode content repository. If required, you can use the Arguments field to specify script inputs. This field also supports wildcards. Once you’ve configured the script, click Add to finalize the action.

    Scripts action to automate device management tasks

    Notes:
    • For macOS, script automation is supported on devices running macOS 10.11 or later and requires the Hexnode Agent app version 1.2 or above.
    • For Windows, it is supported on Windows 10 and 11 (Pro, Enterprise, and Education editions) with Hexnode Agent version 4.2.2 or later installed.
    • For Linux, it is supported on Debian, Fedora and Ubuntu devices with Hexnode Agent app installed on the device.
    • It is recommended to validate the script execution manually on a system before executing in bulk.

    Scans

    The Scans section provides the following actions:

    1. Scan Device: This action retrieves basic details of the enrolled devices, such as battery percentage, installed apps, and device information. These details are then updated in the Hexnode UEM console.
    2. Sync Local Accounts: This action synchronizes user accounts with the Hexnode UEM console to retrieve detailed information about each account.
    3. Scan Device Location: This action fetches the real-time location of the device. It can only be performed if a location tracking policy is applied to the device.
    4. Scan for Apps: This action remotely scans enrolled devices to retrieve detailed information about applications installed on the device. These details are then updated in the Hexnode UEM console.
    5. Scans action to automate device management tasks

      Notes:
      • Scan Device is available across all platforms, except Apple TV.
      • Sync Local Accounts is available only for Windows, Linux and macOS devices. The action requires the latest version of the Hexnode UEM app to be installed on the device.
      • Scan Device Location is available for all platforms, except Linux and Apple TV.
      • Scan for Apps is available across all platforms.

    Alerts

    In the Alerts section, you can send custom messages to end-user devices, with the option to include wildcards that display device or user details within the message. The Alerts action is not available for Apple TV and Linux.

    Option to configure Alerts action

    Device Controls

    This section includes basic device control actions such as:

    1. Power Off: Allows the admin to remotely shut down devices.
    2. Restart Device: Allows the admin to remotely restart devices.
    3. Set Friendly Name: Allows the admin to assign or modify user-friendly names to devices for easier identification.
    4. Rename Device: Allows the admin to replace the name of the device.
    5. Set Password: Allows the admin to remotely configure a password on devices.
    6. Clear Password: Allows the admin to remotely remove the password from devices.
    7. Change Owner: Allows the admin to change the user assigned to the device.
    8. Import Contacts: Allows admin to import contacts by deploying the VCF file to the target devices.
    9. Change Ownership: Allows admin to change the ownership of the device.
    10. Update OS: Allows admin to deploy OS updates to managed devices.
    11. Clear App Data: Allows admin to remotely clear app data on managed devices.
    12. Clear Activation Lock: Allows admin to clear activation lock on devices.

    Notes:
    • Power Off is supported on all platforms, except Apple TV.
    • Restart Device, Change Owner, Set Friendly Name and Change Ownership is supported on all platforms.
    • Rename Device is supported only on iOS and Windows.
    • Set Password and Import Contacts is supported only on Android.
    • Clear Password is supported only on Android and iOS.
    • Update OS is supported on all platforms, except Windows.
    • Clear App Data is supported only on Android.
    • Clear Activation Lock is supported only on iOS and macOS.

    Security

    This section includes security actions such as:

    1. Lock Device: Lets the admin lock devices so only those with the device password can unlock them.
    2. Enable Lost Mode: Locks down the device and tracks its location, ensuring it can’t be used if lost or stolen, and aids in quicker recovery.
    3. Disable Lost Mode: Once the device is retrieved, the admin can disable Lost Mode and return the device to normal functionality.
    4. Wipe Device: Remotely erases all data from the device, ensuring that sensitive information is securely deleted if the device is lost, stolen, or compromised.
    5. Remote Ring: Allows the admin to remotely ring the device, helping locate a lost or misplaced device by emitting a loud sound, making it easier for the user to find it nearby.

    Notes:
    • Lock Device is supported on all platforms, except Apple TV.
    • Enable Lost Mode and Disable Lost Mode is supported only on Android, iOS and Windows.
    • Wipe Device is supported on all platforms.
    • Remote Ring is supported only on Android and iOS.

    Kiosk (for Android devices)

    This section includes kiosk mode actions such as:

    1. Enable Kiosk Mode: Allows the admin to remotely activate kiosk mode from the Hexnode console, locking the Android device to a single app or a set of apps.
    2. Disable Kiosk Mode: Allows the admin to remotely deactivate kiosk mode from the Hexnode console, restoring normal device functionality and access to all apps and settings.

    Kiosk action in Automate tab

    App Management

    This section includes app management actions such as:

    1. Install Application: Allows the admin to remotely install apps on managed devices through the Hexnode console, using sources such as the Hexnode Store, Local Apps, or the Public Store.
    2. Uninstall Application: Allows the admin to remotely uninstall an app from managed devices via the Hexnode console.

    App Management action in Automate tab

    Groups and Domains (for Windows devices)

    This section includes groups and domains actions such as:

    1. Join AD Domain: Allows the admin to join a Windows device to an Active Directory (AD) domain remotely via the Hexnode console.
    2. Unjoin AD Domain: Allows the admin to remove a Windows device from an Active Directory (AD) domain remotely via the Hexnode console.

    Groups and Domains action in Automate tab

    Network (for iOS devices)

    This section includes network actions such as:

    1. Enable Data Roaming: Allows the admin to enable data roaming on iOS devices remotely via the Hexnode console, allowing the device to use mobile data while outside the home network.
    2. Disable Data Roaming: Allows the admin to disable data roaming on iOS devices remotely via the Hexnode console, preventing the device from using mobile data outside the home network.

    Network action in Automate tab

    User Controls

    This section enables the creation of both admin and standard accounts remotely from the Hexnode UEM console using the automate feature.

    Note:


    The User Controls action is supported on Windows, macOS and Linux platforms. For more details, refer to the help documents on Windows user account creation, macOS user account creation and Linux user account creation.

    Device Encryptions (for Windows devices)

    The available options to configure are:

    1. Force BitLocker Encryption: Enforces the activation of BitLocker encryption on the operating system drive and all other drives, ensuring the device data is encrypted.
    2. Force BitLocker Decryption: Forces the deactivation of BitLocker encryption, decrypting the operating system drive and all other drives.
    3. Unlock BitLocker: Allows the admin to unlock a BitLocker-encrypted drive remotely, providing access to the data if locked.
    4. Rotate BitLocker Recovery Password: Automatically rotates and escrows the recovery password for the operating system drive and all other drives.
      • Rotate recovery password for all drives: Selecting this option will automatically rotate and escrow the recovery password for all drives.
      • Rotate recovery password for specific drives: Enter the names of the drives whose recovery passwords should be automatically rotated and escrowed. Use commas to separate multiple drive names.

    Device Encryption action in Automate tab

    File Management

    The File management action (supported on Android and macOS devices) is a remote management feature that lets IT admins deploy or delete files on enrolled devices directly from the Hexnode portal.

    • Deploy Files – This option deploys files to a specific location on the device. You can upload the files available in the Hexnode repository.
    • Deploy files to devices in bulk.

      Notes:
      • On devices enrolled via Android Enterprise – Profile Owner, the file is uploaded to Internal storage > Hexnode > Files.
      • If the specified path is invalid on macOS devices, the file will be downloaded to: Library > Application Support > HexnodeMDM.

    • Remove Files – This option removes files from a specific location on the device. Enter the full file path with the file name.
    • Remove files to devices in bulk.

    Registry Configurations (for Windows devices)

    The Registry Configuration feature helps IT admins easily manage Windows Registry settings. You can add or remove keys, create or update values, and choose the required data types and formats using the Registry Editor option. Configurations can be set up manually or imported from a .reg file to apply registry updates efficiently. To ensure safety, you can take a registry snapshot before applying edits, making it easy to restore if needed. This feature streamlines system customization, enforces policies, and keeps devices consistent without manual effort.

  3. Once the actions are selected, click Next.
    Settings and Schedule

    Configure the automation scheduling and related settings here. You can trigger the action based on two criteria:

    Time:
    You can define the exact time when the action will be executed on the device.

    1. Initiate: You can configure the action initiation frequency. Choose between three options: Once, ASAP (instant action triggering will happen), Once or Repeat on a set schedule.
    2. Scheduled Date: Set the action initiation date in MM/DD/YYYY format (for the Once option).

      The action is triggered based on time and is set to initiate only once

    3. Scheduled Day: Specify the day for action initiation (for Repeat at a set schedule option). Three sub-options available:
      1. Everyday: The action will trigger daily.
      2. Selected days: Select specific days of the week for the action to trigger.
      3. Monthly: Specify the day of the month for action initiation, such as the 10th of every month.

      The action is triggered and repeated according to a set schedule

    4. Scheduled Time: Set the time on which the action should take place on the devices, in HH/MM format and you can select the time zone also.

    Activity: Define the device activity that will trigger the action on the device. You can select from the following four activity types:

    1. On Device Enrollment: Triggers the action when the device is enrolled. The automation action will be applied only to newly enrolled devices after their initial device scan.
    2. On SIM Insertion: Triggers the action upon the insertion of a SIM card on the device.
    3. On SIM Removal: Triggers the action when a SIM card is removed from the device.
    4. On SIM Switch: Triggers the action when a SIM card is replaced with a different one.
    5. On Device Compliance: Triggers the action when the device is compliant.
    6. On Device Non-Compliance: Triggers the action when the device is non-compliant.
    7. On Location Compliance: Triggers the action when the device is location compliant.
    8. On Location Non-Compliance: Triggers the action when the device is not location compliant.
    9. On Device Inactive: Triggers the action when the device becomes inactive.
    10. On Device Inactive For: Triggers the action when the device remains inactive for a specified duration. You can define the inactivity period in minutes.
    11. Note:
      • The triggers (On Device Inactive and On Device Inactive For) are supported on Android devices and can be used to initiate actions such as Lock Device, Enable Lost Mode, and Wipe Device.
      • On Android devices, the Alarms and reminders permission must be granted to the Hexnode UEM app on the device for the On Device Inactive and On Device Inactive For triggers to function as expected. If the permission is not granted, the user will be prompted to allow it. If denied, the associated action will not be triggered.

    The action is triggered upon device activity

  4. Once you have configured the Settings and Schedule, click Next. On the following page, you can define the target filters.
    Target Filters

    Configure target filters in this section. You can specify options for Included groups, Excluded groups, and create custom filters by selecting the Filters option.

    1. Included groups: Select device or user groups to which the action will apply. Click Add Groups to view and choose from the available device and user groups in your Hexnode UEM portal.
    2. Excluded groups: Choose device or user groups to be excluded from the action automation. Click Add Groups to display the available groups for exclusion.

      List of device groups and user groups for including and excluding deployments

    3. Filters: Create custom filters based on the following categories:
      1. Device: This category encompasses various attributes specific to the device being managed.
      2. User: This category includes attributes related to the users who are using the devices.
      3. Network: This category relates to network attributes associated with the devices.
      4. Device Status: This category provides attributes associated with the compliance and operational status of the devices.

    To configure filters, set the following fields:

    1. Select Column: Choose the category used for filtering. Once selected, the relevant sub-categories will be displayed under this dropdown.
    2. Select Comparator: Define the comparison method.
    3. Select value: Set the specific value for filtering.

    Below is a list of available filter categories and their corresponding sub-categories:

    Main category Sub- categories
    Device
    • Apple DEP
    • Asset tag
    • Available internal storage
    • Battery level
    • BitLocker Policy Compliance
    • Department
    • Device ID
    • Device model
    • Device notes
    • Device type
    • Encryption Status
    • Enrolled time
    • Enterprise Management Type
    • Installed RAM
    • Last checked-in time
    • Manufacturer
    • MEID
    • OS name
    • OS version
    • Ownership
    • Platform
    • Processor name
    • Serial number
    • Supervision
    • Total internal storage
    • TPM version
    • UDID
    • Used internal storage
    User
    • Alternate email
    • Department (AD)
    • Domain name
    • Email
    • Office location (AD)
    • sAMAccountName
    • Title (AD)
    • User type
    • Username
    Network
    • Bluetooth MAC address
    • Current carrier network SIM 1
    • Current carrier network SIM 2
    • Current MCC
    • Current MNC
    • Ethernet IP Address
    • Ethernet MAC address
    • Home carrier
    • Home country
    • ICCID SIM 1
    • ICCID SIM 2
    • IMEI SIM 1
    • IMEI SIM 2
    • IMSI
    • International data roaming
    • Last connection date
    • Personal Hotspot
    • Phone number SIM 1
    • Phone number SIM 2
    • Roaming enabled
    • SIM carrier network
    • Subscriber carrier network (iOS)
    • Subscriber MCC
    • Subscriber MNC
    • Wi-Fi IP Address
    • Wi-Fi MAC address
    • Wi-Fi SSID
    Device Status
    • Activity status
    • Application compliance status
    • Compliance status
    • Enrollment status
    • Geofence compliance status
    • Jailbroken
    • Kiosk mode
    • Lost mode
    • MDM profile
    • Password compliance status
    • Rooted
    1. After selecting the desired sub-category, a comparator must be chosen.

      Note:


      The available comparators vary depending on the selected sub-category.

      For example, if Apple DEP is chosen as the sub-category, the available comparators are Is and Is not.

      Option to select comparator for deployments

    2. After selecting the comparator, the value for comparison must be chosen or entered.

      In the case of the Apple DEP sub-category, the available options are Disabled and Enabled.

      Option to set the filter value

    3. Notes:
      1. You can add nested filters using the ‘+’ icon along with the AND operator. To remove a filter, simply click the trash icon next to the ‘+’ icon.

        Option to configure nested filters for deployments

      2. When dealing with multiple filters, there are two available operator options: “AND” and “OR.”

        Option to apply multiple filters for deployments

      3. Choosing AND means that devices must meet the criteria set by all the filters. On the other hand, selecting OR allows the action to apply to devices that meet at least one of the criteria from the filters.

  5. After setting the filters, click Next.
    Review

    The next page leads to the Review section, where the configured automation settings can be viewed. If any adjustments are needed, click the Edit option to access the corresponding section and make changes as necessary.

    Review page of displaying options to modify and save the deployment

  6. Once you have reviewed the automation, click Save.

Automate tab overview

After successfully creating an automation, you can easily monitor and manage it through the Automate tab. The Automate tab consists of the following sections:

  • Active Automations
  • Archives
  • Activity Feed

Active Automations

The created automations will be displayed in the Active Automations section on the home screen of the Automate tab. This section provides details such as the name, version, platform, creation date, status, and last status update for each automation.

List of the created deployments

Additionally, each automation includes a “Run Now” option that allows IT admins to instantly execute the selected automation on targeted devices.

Also, there are options to Archive, Pause, Resume and Delete the automations. To perform any of these, select the desired automation and click on Actions.

Options under the Actions tab

Archives

Archived automations can be found in the Archives section, which shows the automation name, version, and archived time. From this section, automations can be deleted or restored.

Section displaying archived deployments

Activity Feed

Detailed information about each automation can be viewed in the Activity Feed, including the automation name, version, activity type, and the time when the activity occurred.

To view specific automation details, select the desired automation and navigate to the Reports section. Here, you can see device-specific details related to the automation, such as the device name, platform, action, version, initiation time, completion time, and the automation status. You can also export and download the report in either PDF or CSV format from this section.

Enroll visionOS devices using open enrollment method

By following the outlined steps, you can streamline the automation process to meet your organization’s needs, allowing you to create an automation that instantly automates the deployment of a file, certificate, custom script, or an update to a group of devices or group of users.

Automations