Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Enrolling Devices
  3. Windows

Category filter

Google Workspace enrollment for Windows devices

Jump To

Hexnode’s seamless integration with Google Workspace helps businesses import their users or groups directly to the UEM console. This facilitates the enrollment of Windows devices using configured Google Workspace accounts.

The process is a two-step workflow:

  1. Configure Google Workspace: Set up the service account and API delegation.
  2. Enroll Windows devices: Authenticate via Google Workspace credentials.

Configure Google Workspace

Requirement: Your organization must have an active Google Workspace account.

Create a Google Service Account

Hexnode requires a service account to sync directories and push configurations.

  1. Login: Use Google Workspace admin credentials to log in to the Google Cloud Console.
  2. Create Project: Click Create Project. Provide a name (e.g., “Hexnode Windows Enrollment”); a corresponding Project ID will be generated.
  3. Navigate to Credentials: From the left pane, select APIs and Services > Credentials.
  4. Service Account Creation:
    1. Click Create Credentials and select Service account.
    2. Service account name: Provide a suitable name.
    3. Service account ID: Automatically generated.
    4. Service account description: Provide a suitable description.
    5. Click Create and Continue.
  5. Role (Optional): Click Select a role and choose Service Accounts > Service Account Admin. Click Continue, then Done.
  6. Client ID: Click the email of the new service account. Select the Advanced settings dropdown and copy the Client ID.
  7. JSON Key: Navigate to Keys at the top. Click Add Key > Create new key, choose JSON, and click Create.
    1. The downloaded JSON key must be uploaded to the Hexnode UEM portal later.
  8. Enable SDK: In the APIs & Services menu, select Enabled APIs & Services, click +ENABLE APIS AND SERVICES, search for Admin SDK API, and click Enable.

Manage API Client Access for MDM

This process provides the MDM with specific API access to apply configurations to the managed devices. Ensure you Enable API access in the Admin console before proceeding.

  1. Using your Google Workspace Admin credentials, log in to the Google Admin Console and click on Security.
  2. From API Controls, select MANAGE DOMAIN WIDE DELEGATION under the Domain wide delegation section.
  3. Click on +Add new.
  4. Authorize the API clients by providing the following details:
    1. Client ID: Copy the unique ID from your downloaded JSON file or the Google Cloud console.
    2. OAuth scopes: Copy and paste the following links (must be comma-separated):
      1. https://www.googleapis.com/auth/admin.directory.user – To sync individual users.
      2. https://www.googleapis.com/auth/admin.directory.group – To sync user groups.
      3. https://www.googleapis.com/auth/admin.directory.domain – To fetch the domain.
  5. Click on AUTHORIZE.

Notes:

  • To sync users, user groups, and domains from your Google Workspace account with the Hexnode UEM console, you must provide the OAuth scopes separated by a comma.
  • The directory domain scope https://www.googleapis.com/auth/admin.directory.domain is mandatory. If this scope is not entered, the domain sync will fail, and the portal will display the error message: “Google Workspace domain names could not be retrieved.”

Integration of Google Workspace with Hexnode UEM Server

  1. Log in to your Hexnode UEM portal.
  2. Navigate to Admin > Google Workspace.
  3. Configure the following options:
    1. Google Workspace Admin Email: Enter the Google Workspace admin email address for the domain you want to synchronize with Hexnode.
    2. Google Workspace key: Upload the JSON key previously downloaded.
  4. Click Next to proceed with the configuration.
  5. Synchronization Options: Two new options will be displayed:
    1. Sync across all domains: Checking this will sync all users and/or user groups across all domains. New domains created in Google Workspace will automatically sync during the next scheduled cycle.
    2. Choose Domain(s): Only the users and/or user groups present in the specific selected domains will be synced.
  6. Scheduled Scan Settings: Use this feature to set a specific time and day for the Google Workspace sync to initiate.
    1. Daily: Enter the time in 24-hour format in the “Initiate sync at” field. The sync will run at this time every day.
    2. Weekly: An additional option to select specific days will appear. The sync will initiate at the specified time only on the selected days.
  7. Click the Save button to finalize the configuration.

Note: Click on the Refresh Domains button if a newly added domain is not immediately displayed on the portal.

Enroll Windows devices via Google Workspace authentication

Once the Google Workspace account is successfully configured, you can begin enrolling your Windows devices into Hexnode UEM.

Step 1: Enrollment Setup

Administrators can initiate enrollment either by sending targeted requests or by enabling users to enroll themselves manually.

A. Send enrollment requests to Google Workspace users

  1. Navigate to Enroll > Platform-Specific > Windows > Windows PCs & Tablets.
  2. Switch the Authentication Mode to Authenticated Enrollment.
  3. Select Google User under the Enrollment Request option. Users will receive an email or SMS containing the Hexnode server address and enrollment instructions.
  4. Adjust device Ownership (Corporate/Personal) if required and click Next.
  5. Select the delivery mode: Email, SMS, or both.
  6. Crucial: Change the Domain from Local to your specific Google Workspace domain.
  7. Select the intended user and click Send.

Note: You can also send enrollment requests by navigating to Manage > Users/User Groups/Directory Services, selecting the users, and choosing Actions > New Enrollment.

B. Self Enrollment

  1. Navigate to Enroll > Platform-Specific > Windows > Windows PCs & Tablets.
  2. Switch the Authentication Mode to Authenticated Enrollment.
  3. Select Google User under Self Enrollment.
  4. Adjust Ownership if required and click Next.
  5. Enrollment settings will update, allowing users to enroll using their dedicated Google Workspace credentials.

Step 2: Enroll the device via Authenticated Enrollment

Hexnode provides two distinct methods for completing the enrollment on a Windows machine.

Method 1: Using the Hexnode Installer App

  1. Open a web browser on the Windows machine and enter the enrollment URL: https://{portalname}.hexnodemdm.com/enroll/
  2. Click Download to initiate the Hexnode Installer app.
  3. Open the file and click Yes on the setup wizard to grant administrative permissions.
  4. Click Install, review the EULA, and click Agree and Enroll.
  5. Change the Domain from Local to your Google Workspace domain and enter your credentials. Click Authenticate.
  6. Troubleshooting Processing Failures: If the app fails to process the request automatically:
    1. Click Enroll; this opens Settings > Accounts > Access Work or School > Enroll in Device Management.
    2. The username and server address will be auto-filled. Click Next.
  7. Follow the setup instructions and click Got It.

    Note: If the connection takes too long, navigate to Settings > Accounts > Access work or school > Info > Sync.

  8. The Hexnode UEM app and all configurations will install automatically. Click Done, then Finish to exit.

Method 2: Native Enrollment

  1. On the Windows device, go to Settings > Accounts > Access work or school.
  2. Click Enroll only in device management.
  3. Enter your work email and click Next.
  4. Important: You will be prompted for a Microsoft password. Neglect this step by closing the tab.
  5. Enter your Hexnode enrollment URL: https://{portalname}.hexnodemdm.com and click Next.
  6. On the authentication page, click Sign in with Google and enter your Google Workspace username and password.
  7. Read the setup instructions and click Got It. The device is now successfully enrolled.

Frequently Asked Questions (FAQs)

Q1. Why do I need to close the Microsoft password tab during Native Enrollment?

Native Windows enrollment defaults to Microsoft/Entra ID. Since you are using Google Workspace for authentication, closing that tab triggers the Hexnode portal to redirect you to the Sign in with Google page instead.

Q2. Can I automate the synchronization of new Google Workspace users?

Yes. By using the Scheduled Scan feature (Daily or Weekly) in the Hexnode Admin settings, the UEM portal will automatically pull new users and groups without manual intervention.

Q3. What happens if the Hexnode Installer fails to process the enrollment?

If the app doesn’t complete the process automatically, clicking the “Enroll” button within the installer will bridge you to the Windows native “Access Work or School” settings, where the necessary server details are pre-filled for manual finalization.

Troubleshooting

1. Error: “Your device is already being managed by an organization”

Symptoms: Enrollment fails immediately during the initial setup phase.

Potential Causes

  • Dual-MDM Conflict: The device is currently enrolled in another MDM solution (Intune, Kandji, etc.). A device can only have one management profile at a time.
  • Residual Registry Keys: Previous management data was not cleanly wiped, leaving a block in the Windows Registry.

Solutions

  • Option A (Clean Disenrollment): Navigate to the device’s settings (e.g., Settings > Accounts > Access work or school), find the previous management profile, and select Disconnect. Retry Hexnode enrollment.
  • Option B (Registry Fix):
    1. Open the Registry Editor (regedit).
    2. Navigate to: HKLM\Software\Microsoft\Enrollments
    3. Locate the key: ExternallyManaged
    4. Delete the key or set its value to 0.

2. Error: “Authentication Error! The credential… belongs to a different user.”

Symptoms: This usually occurs during bulk deployments or when using device images.

Potential Cause

This happens when the portal detects a duplicate UDID. This is common if you have “cloned” a machine using an OS image that was captured after the original machine was already enrolled in Hexnode.

Solution

You must clear the unique MDM identifier so the device can generate a new one:

  1. Open Registry Editor.
  2. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\MDMDeviceID
  3. Delete the MDMDeviceID key.
  4. Restart the enrollment process.

3. Status: “Hexnode Agent app is inactive

Symptoms: The device shows as “Inactive” in the Hexnode Portal. Actions like Execute Custom Script or Power Off stay in “Pending” status, though Scan Device may still work.

Probable Cause

  • Network Instability: The device cannot “check-in” with the Hexnode servers due to a dropped or restricted internet connection.

Solution

  • Check Connectivity: Ensure the device has an active internet connection.
  • Toggle Connection: Disable and re-enable Wi-Fi or switch to a different stable network.
  • Refresh Agent: Open the Hexnode Agent app manually on the device to trigger a sync. Once the connection is stable, the status in the Device Summary should update to “Active.”
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Enrolling Devices
Managing Windows Devices