Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Provisioning

Category filter

Building a “Self-Service” App Portal: Reducing IT Tickets via Hexnode UEM

Jump To

Executive Summary

In the modern enterprise, “Software-on-Demand” has transitioned from a luxury to an operational necessity. Traditional app deployment—where IT manually pushes every binary—creates a severe bottleneck that leads to helpdesk “Ticket Fatigue.” By building a Self-Service App Portal via the Hexnode UEM App Catalog, IT administrators can shift to a Ticket Deflection model. This guide outlines how to curate, secure, and deploy a unified Enterprise App Catalog that empowers standard users to autonomously install approved software across iOS, Android, Windows, and macOS, without compromising endpoint security or ever requiring local administrator credentials.

Technical Logic:

The Hexnode UEM App Catalog allows IT to distribute software on demand rather than forcing mandatory installations. Administrators curate approved applications (VPP, Google Play, or raw enterprise binaries) into a catalog that is assigned to specific user groups. This creates a secure “pull” model. The software is preauthorized by IT, but the final installation is triggered by the end user via their Hexnode UEM app. Because the Hexnode UEM app executes the installation using its own system level privileges, standard users do not need local administrator credentials to get their software. This enforces strict security while eliminating routine provisioning tickets for the IT helpdesk.

1. Curating the Enterprise Repository

Before a self-service App Catalog can be built, the required software must be ingested and “Managed” within the Hexnode UEM console’s centralized App Inventory.

  • Managed Store Apps (Apple VPP & Managed Google Play): Sync your Apple Business Manager (VPP) account to silently distribute volume purchased apps across iOS, iPadOS, and macOS. For Android fleets, sync your Managed Google Play account. This ensures that even when users self-serve, public store applications remain corporate owned and are fully revocable upon employee departure.
  • Enterprise Applications (In House Binaries): Upload custom or proprietary binaries directly to the Hexnode App Repository. Hexnode supports native enterprise app deployment across all major ecosystems: Android (APK files), iOS (IPA files), macOS (PKG or DMG files), and Windows (MSI files).
  • Web Apps: Curate a list of Web Shortcuts for internal portals (e.g., HR directories, internal wikis, SaaS logins) to be included alongside native applications in the same unified catalog.

2. Architecture: Creating the App Catalog

Think of the App Catalog as a custom, secure storefront. Unlike a “Required Apps” policy that forces an installation, the Catalog simply makes approved apps available for the user to select.

  • Creating the Container: In the Hexnode UEM portal, administrators navigate to Apps > App Catalogs and create a new catalog. You can give it a friendly, recognizable name and description that makes sense to your employees, such as “Marketing Software Center” or “Developer Tools.”
  • Populating the Storefront: IT can populate this catalog by adding individual apps or entire App Groups. Grouping software by department is a great way to prevent the catalog from becoming cluttered.

    Note for Windows environments: Ensure your catalog directly utilizes MSI or Store apps. EXE or MSIX files added via App Groups will not natively display within the catalog UI.

  • Strict Version Control: If you have uploaded multiple versions of the same enterprise app to your Hexnode inventory, the catalog settings allow you to explicitly select which specific version is populated. This gives IT complete control over ensuring users only download the most stable release.

3. Deployment & The Hexnode UEM App Behavior

A catalog only becomes visible and functional once it is attached to a device via an App Catalog policy. Once deployed, the Hexnode UEM app acts as a secure intermediary between the standard user and the device’s underlying Operating System (OS). Because the Hexnode UEM app operates with elevated privileges, it can command the OS to install the software without asking the user for admin credentials.

  • The Policy Handshake: Navigate to Policies > New Policy > Create a fully custom policy > [Platform] > App Management > App Catalog.
  • Assignment Logic: Instead of choosing Required Apps policy (which forces immediate, mandatory installation), select your newly curated App Catalog.
  • The Endpoint User Experience: Once the policy syncs, the end-user opens the native Hexnode UEM app on their device.
    • They navigate to the App Catalog tab, which displays their customized, pre-approved software list under “All categories”.
    • The user clicks Get or Install next to the desired app.
    • Agent Execution Details:
      1. Enterprise Apps: Because the Hexnode UEM app runs with system-level privileges, it intercepts the user’s request and executes the installation in the background. The user never sees a UAC (User Account Control) prompt and does not need Local Administrator credentials.
      2. Public Store Apps: If the user selects a public store app from the catalog (e.g., Apple App Store or Microsoft Store), Hexnode will seamlessly redirect them to the native OS store to complete the download.

4. The Impact: Ticket Deflection vs. Manual Push

Metric Manual Push Model Self-Service Portal Model
IT Intervention Required for every single app request. Zero (Authorization is automated via the catalog).
Network Impact High (Bulk mandatory downloads trigger all at once). Low (Distributed organically as users demand apps).
User Autonomy Passive (Waiting hours/days for IT deployment). Active (Immediate gratification and productivity).
License Efficiency Often over-provisioned (Deployed to users who don’t need it). Optimized (Licenses consumed only when actively installed).
Security Posture Frustrated users may demand Local Admin rights. Secure (Hexnode UEM app installs without granting Admin rights).

5. Best Practices for Self-Service Governance

  • Hybrid Deployment Strategy: Do not put critical security agents in the App Catalog. Use the Required Apps policy for essential, non-negotiable tools (Antivirus, Endpoint Detection) and the App Catalog strictly for productivity and role-specific tools (Zoom, Slack, Adobe CC).
  • Zero-Trust Integration: Tie catalog visibility to your Directory Groups (Okta/Entra ID/Google Workspace). A user synced to the “Accounting” device group should automatically receive a policy displaying different apps in their portal than a user in “Engineering.”
  • Automated Updates: If you update the version of an MSI app within your Hexnode app inventory and catalog, the associated App Catalog policy updates automatically.

FAQ (Frequently Asked Questions)

Q1: Do users need an Apple ID to install apps from the Self-Service portal?

A: No, provided you are using VPP Device-Based Assignment. The app license is tied to the device serial, allowing the user to “pull” the app without any personal account prompts.

Q2: Can I prevent users from installing apps that are not in the App Catalog?

A: Yes. You can combine the App Catalog deployment with a Blocklisting policy or an OS-level restriction that hides the native Apple App Store or Microsoft Store. This essentially turns the Hexnode App Catalog into the only authorized source for software on the corporate device.

Q3: Does this self-service model work for remote workers off the corporate network?

A: Absolutely. As long as the remote device has an active internet connection, the “Self-Service” execution commands travel over-the-air (OTA) from the Hexnode Cloud to the local agent, allowing remote employees to securely set up their workspace from anywhere in the world.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework