Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Provisioning

Category filter

Geo-Temporal Access Control: Securing Corporate Data with Location and Time Logic

Jump To

Geo-Temporal Logic is an advanced security framework that uses “Contextual Multi-Factor” variables to grant or deny access. Instead of just checking who the user is, the system evaluates where they are and when the attempt is occurring.

By leveraging the Contextual Multi-Factor variables, Hexnode UEM allows you to bind access rights to physical locations and specific timeframes. Let’s dive into how you can configure this Boolean “And” condition— Location == Office AND Time == Working Hours —to ensure your sensitive corporate data remains locked down when it matters most.

1. Overview

This guide outlines how to implement Geo-Temporal Logic to secure high-risk applications (like corporate CRMs or finance portals). This policy ensures that sensitive apps are functional only when a managed device is physically inside a designated “Safe Zone” during an authorized “Operational Window.” If either condition evaluates to false (e.g., trying to access files at 2:00 AM or from an airport terminal), the access gate remains firmly locked.

2. Policy Logic Matrix

Geo-Temporal security relies on the intersection of two primary data points. Hexnode constantly evaluates these parameters to determine the appropriate enforcement action:

Location Status Time Status Access Result Enforcement Action
Inside Fence During Work Hours GRANTED Apps are visible, synced, and functional.
Inside Fence After Hours DENIED Apps are hidden, locked, or sync is disabled.
Outside Fence During Work Hours DENIED Access is blocked (device marked Non-Compliant).
Outside Fence After Hours CRITICAL Device sends a compliance alert to the IT dashboard.

3. Implementation Workflow

To implement this logic, you will first define your “Safe Zone,” then create the restriction policy, and finally use Automations to act as the “Access Gates.”

Step A: Define the “Safe Zone” (Geofencing)

First, establish the physical perimeter where corporate apps are permitted to function.

  1. Navigate to Admin > Geofencing.
  2. Click Create Fence and mark your office or secure site on the map.
  3. Set a Radius (e.g., 200 meters) to account for natural GPS drift.
  4. Save the fence with a clear name (e.g., “Main HQ Office”).

Step B: Create the “Lockdown” Policy

This policy contains the restrictions that will be “pushed” to the device when it is out of compliance (either due to time or location).

  1. Navigate to Policies > New Policy and select the relevant OS Platform.
  2. Go to App Management > Blocklist/Allowlist.
  3. Configure a Blocklist containing the sensitive apps (e.g., CRM, Finance Portal) you want to restrict.
  4. Name this policy Geo-Temporal Lockdown and save it.

2. Setting the “Access Gates” (Automations)

Now, we link the policy to specific triggers. Hexnode evaluates these conditions to ensure that if a device moves out of the fence OR exceeds the operational window, access is blocked.

Gate 1: The “Operational Window” (Time-Based)

This automation ensures that sensitive apps are blocked after work hours, regardless of location.

  1. Navigate to the Automate tab and select New Automation.
  2. Action: Select Associate Policy and choose the Geo-Temporal Lockdown policy created in Step B.
  3. Settings and Schedule:
    • Trigger: Time
    • Initiate: Repeat at a set schedule
    • Scheduled Day: Choose your preferred workdays (e.g., Mon-Fri).
    • Scheduled Time: Set the “Off-Hours” start time (e.g., 18:00).
  4. Targets: Add the specific Device Groups this should apply to and click Save.

Gate 2: The “Safe Zone” (Location-Based)

This automation triggers the lockdown immediately if the device leaves the authorized physical area.

  1. Navigate to Automate > New Automation.
  2. Action: Select Associate Policy and choose the Geo-Temporal Lockdown policy.
  3. Settings and Schedule:
    • Trigger: Activity
    • Initiate: On Location Non-Compliance (This triggers when the device exits the fence defined in Step A).
  4. Targets: Add your Device Groups and click Save.

4. User Experience & Automation

  • Automatic Recovery (Self-Healing): As soon as the user enters the geofenced Safe Zone during their authorized work hours, the UEM “Self-Heals.” Hexnode automatically lifts the restrictions, making apps available again without requiring a helpdesk ticket.
  • Overtime Exceptions: If an employee needs temporary “After-Hours” access, an IT admin can move their device into an Exclusion Group with a 24-hour expiration (often referred to as an Ephemeral Identity).

5. Security & Compliance Guardrails

To prevent users from bypassing Geo-Temporal restrictions, enforce the following guardrails:

  • GPS Spoofing Protection: Ensure that “Location Services” are strictly enforced via policy. Hexnode policies can block the use of “Mock Location” apps on Android, ensuring the GPS coordinates are authentic.
  • Privacy Controls: To balance security with employee privacy, configure location tracking to strictly report “In/Out of Fence” compliance status, rather than recording a continuous breadcrumb trail of the user’s exact movements outside of work hours.

6. Troubleshooting

If users report access issues, check these common culprits:

  • “App Hidden in Office”: Verify that the device’s clock is synced via NTP (Network Time Protocol). If the local device time is manually altered or drifting, the Time-of-Day gate will fail and block access.
  • Location Drift: GPS signals can bounce or degrade in tall office buildings. If devices are falsely registering as “Outside Fence,” consider expanding your geofence radius slightly or utilizing Network Fencing (SSID Tracking) as a secondary verification layer.
  • Lag in Access: It may take a moment (typically up to 2 minutes) for the UEM to detect a fence crossing upon arrival. Users can expedite the check-in by opening the Hexnode app and tapping Sync.

7. Audit Logging

When the system denies access, it generates a clear audit trail in the Hexnode reports dashboard.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework