Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Troubleshooting

Category filter

The “Helpdesk Level 1” Playbook: Standard Operating Procedures for 10 common MDM issues

Jump To

Executive Summary: This playbook serves as the definitive Standard Operating Procedure (SOP) for Level 1 Helpdesk technicians managing a Hexnode UEM environment. It provides a structured diagnostic framework for resolving the 10 most frequent MDM-related support tickets, moving from Initial Handshake Verification to Terminal Remediation.

Prerequisite: Principle of Least Privilege (PoLP) via Hexnode RBAC

Before implementing this playbook, administrators must configure Role-Based Access Control (RBAC) to enforce a secure L1 workspace.

  • Role Setup: Create a “Helpdesk Tier 1” role restricted strictly to basic remote actions: Scan Device, Remote View, Clear Passcode, Clear App Data, Install Application, and Send Message.
  • Administrative Blindspots: L1 agents must not have access to the global Admin tab (Licenses, APNs, Global Restrictions).
  • Blast Radius: Scope this role specifically to the Target Domains or Device Groups the agent supports, restricting them from global fleet visibility.

Part 1: Standard Operating Procedures for 10 Common MDM Issues

Issue 1: Device is Unresponsive to MDM Commands (Mac/iOS/Android)

Symptoms: Remote actions remain pending, apps aren’t pushing, and the device shows as “Inactive” in the console.

Root Cause: Local network disconnection, blocked ports, or a globally expired Apple Push Notification service (APNs) certificate.

L1 SOP:

  1. Instruct the user to verify their internet connection. For Apple devices on corporate Wi-Fi, ensure the network is not blocking standard ports.
  2. Trigger a “Scan Device” action from the Hexnode portal to force an immediate background sync.
  3. Escalation Trigger: If the device is on a verified network, but multiple Apple devices are simultaneously failing to sync (while Android devices remain unaffected), escalate a ticket to L2 immediately. Note in the ticket: Possible global APNs certificate expiration.

Issue 2: “Certificate Error Occurred” During Android Enrollment

Symptoms: An SSL certificate validation dialog blocks the user immediately after entering the server name.

Root Cause: Device time drift breaking the SSL handshake between the device and the Hexnode server.

L1 SOP:

  1. Instruct the user to open their Android Date and Time settings and enable “Automatic Date and Time” provided by the network.
  2. Ask the user to verify they are running the latest OS security patch via Settings > System > System updates.
  3. Verify the user is typing the exact server URL correctly without typos.

Issue 3: “Trouble connecting to server” or “Invalid Server”

Symptoms: The Hexnode app states “Please provide a valid server name” or halts connection.

Root Cause: Improper URL formatting causing a DNS resolution failure.

L1 SOP:

  1. Confirm the user isn’t manually typing http:// or https://. The Hexnode agent app is hardcoded to automatically append the secure https:// protocol. If a user types it, the app concatenates it into a broken string (e.g., https://https://yourcompany.hexnodemdm.com).
  2. Instruct the user to enter only the subdomain (e.g., yourcompany.hexnodemdm.com).
  3. Have the user toggle between Cellular and Wi-Fi to rule out ISP-level routing blocks.

Issue 4: Device Locked / Forgotten Passcode

Symptoms: An employee is locked out of their managed iOS or Android device.

L1 SOP:

  1. Locate the specific user’s device in your scoped Manage tab.
  2. Select the device and choose Actions > Clear Passcode (for iOS) or Clear Password (for Android).
  3. Inform the user to wait 30 seconds, wake the device, and swipe in to set a new compliance-approved PIN.

Issue 5: “Device Limit Reached! Please contact your administrator!”

Symptoms: Enrollment halts abruptly, preventing hardware onboarding.

Root Cause: The Hexnode UEM portal has exhausted its active device license limit.

L1 SOP:

  1. Trust the device’s error message as the source of truth, as L1s cannot view the Admin billing dashboard.
  2. Search the user’s profile in the Manage tab for stale, duplicate, or legacy devices still linked to their account.
  3. Escalation Trigger: Escalate to the Asset Management or L2 team requesting a “Disenroll and Delete” of specific legacy hardware to free up a license seat. If no stale devices exist, route to IT Procurement with the note: User halted at enrollment – License Exhaustion.

Issue 6: “Your Device is Not Authorized to be Enrolled”

Symptoms: User receives an authorization block immediately after entering the server name.

Root Cause: The device is being blocked by a global portal restriction set by higher-tier admins (e.g., OS version blocks, or strict “Pre-approved Hardware Only” rules).

L1 SOP:

  1. Do not attempt to bypass this via the user’s directory credentials; this is a hardware/policy block.
  2. Collect the device’s Serial Number and MAC Address from the user.
  3. Escalation Trigger: Escalate to L2 with the collected identifiers to either allowlist the hardware into the Pre-approved list or investigate the specific OS restriction blocking the enrollment.

Issue 7: App Crashes or Glitches (Android)

Symptoms: A managed corporate app repeatedly fails, hangs, or refuses to open.

L1 SOP:

  1. Do not advise a full device wipe. Locate the device in the Manage tab.
  2. Trigger the remote “Clear App Data” action specifically targeting the failing application.
  3. Escalation Trigger: If the issue persists, select “Request Bug Report” from the Actions menu to fetch system logs silently. Escalate the ticket to L2 with the bug report attached for developer review.

Issue 8: Trouble Granting Permissions on Android 13+

Symptoms: User is unable to toggle Device Administration or Usage Access permissions; the UI greys out the option during setup.

Root Cause: Android 13+ “Restricted Settings” security feature automatically blocks accessibility permissions for downloaded/sideloaded apps.

L1 SOP:

  1. Guide the user to open the native Android Settings > Apps > Hexnode UEM.
  2. Instruct them to tap the three-dot overflow menu in the top right corner.
  3. Select “Allow restricted settings“, authenticate with their device PIN, and return to the Hexnode app to successfully grant the permissions.

Issue 9: Required App is Missing from Device

Symptoms: A mandatory enterprise app (e.g., Slack, CrowdStrike) fails to appear on the device.

L1 SOP:

  1. Check the Action History log under the device profile to see if the deployment command failed, is pending, or was rejected by the device.
  2. Ensure the device OS meets the basic criteria for the app (e.g., user isn’t running an outdated iOS version incompatible with the app).
  3. Push an “Install Application” command manually from the Actions dropdown to force a retry.

Issue 10: Device Flagged as “Non-Compliant”

Symptoms: Device loses access to corporate resources or emails due to conditional access flags.

L1 SOP:

  1. Open the device summary and check the Compliance Info tab to identify the exact policy drift (e.g., Location outside of geofence, FileVault encryption disabled, missing required apps).
  2. Guide the user to manually remediate the specific issue on their end.
  3. Once the user confirms the fix, trigger a “Scan Device” action to update the Hexnode server, clear the non-compliant flag, and restore their network access.

Part 2: Workflow Automation Best Practices (For IT Leadership)

To evolve the Helpdesk from reactive troubleshooting to proactive endpoint management, organizations should build the following integrations to empower their L1 staff:

  • Implement ITSM API Integrations (ServiceNow / Zendesk): Sync device compliance status and telemetry directly into the ITSM CMDB. This allows L1 agents to trigger Hexnode remote actions (Lock, Scan, Clear Passcode) natively within the support ticket UI, eliminating portal-hopping and speeding up resolution times.
  • Deploy Hexnode “Automate” for Self-Healing: Utilize Hexnode’s Automate Actions framework. Instead of waiting for users to report slow devices, create templates. For example, schedule an automated “Restart Device” command for retail kiosks every Sunday at 2 AM to clear memory leaks.
  • Enforce IdP SSO for Technicians: Secure the Helpdesk by integrating Hexnode with SAML 2.0 Identity Providers (IdP) like Microsoft Entra ID or Okta. If an L1 agent transitions roles, revoking their IdP access instantly severs their Hexnode portal login.
  • Leverage Dynamic Grouping for Zero-Touch Payloads: Eliminate manual L1 assignment errors. Use Dynamic Device Groups to assign configurations based on strict criteria (e.g., “All Android Enterprise devices running OS > 11”). When a user upgrades their OS with L1 assistance, the device dynamically enters the group, and Hexnode autonomously pushes the appropriate security payloads.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework