Category Filter

Hexnode – Architecture

Hexnode UEM is a cloud-based Unified Endpoint Management solution that can manage and secure devices from a single centralized web console. It allows users to securely manage both personal and corporate devices either via its unified web console or APIs. Using Hexnode, an IT manager can easily enroll devices over the air, impose settings/policies, manage apps, and check compliance with the enterprise’s standards.

Note:


Hexnode UEM announced an end-of-life (EOL) for its on-premises edition. The edition will reach end-of-life on May 31, 2021, and all on-prem customers are requested to migrate to the cloud edition to continue our general support and maintenance.

Components of Hexnode UEM

Components of Hexnode MDM architecture

The main infrastructure entities involved in the architecture are:

Hexnode Cloud Server

The Mobile Device Management (MDM) software required for managing endpoints is hosted on the Hexnode cloud server. The server must be accessible via public IP address, as many users will be out of the office network.

Hexnode uses Amazon Web Services (AWS) to host its cloud servers for ensuring core security and compliance standards. It includes data encryption programs, DDoS mitigation techniques, and network management policies to protect your information, identities, applications, and devices. Hexnode’s data centers are strategically positioned among the most secure locations to ensure maximum protection from security attacks.

Hexnode cloud server uses the Amazon Storage Service (Amazon S3) for storing and protecting any amount of data. This database stores both the device and the management data (policies/configurations). It leverages Amazon EC2 services for executing secure and flexible cloud computational operations. Amazon Relational Database Service (Amazon RDS) manages the scalable CRUD operations in the cloud.

Admin Console

The admin console refers to the unified browser-based console used for managing and monitoring devices. Once a technician makes a configuration change from the console, the request will be sent to the Hexnode cloud and is then pushed from the Hexnode cloud to the relevant devices via the notification services (APNs, FCM, or WNS).

Directory Services

Hexnode supports the connectivity with your organizations’ existing directory infrastructures such as Microsoft Active Directory, Azure AD, G Suite, and Okta. An organization can connect to these directory services for federated authentication and user synchronization.

For authenticated enrollments, directory users are requested to authenticate themselves with their dedicated credentials. Upon successful authentication of the user, the directory service will provide an OAuth token to the Hexnode server for establishing the user’s authenticity. However, for on-prem directory services like Microsoft Active Directory, the Hexnode AD agent app is needed to establish communications between the directory service and the cloud server.

Firewall

Hexnode’s firewall establishes a secure barrier between the internal network of an enterprise and the internet. It controls the incoming and outgoing network traffic based on a predefined set of rules. In this way, it ensures strong network infrastructure security by blocking access to untrusted traffic.

Notification Services

Hexnode cloud sends notifications to the devices using the appropriate notification services to communicate with Hexnode MDM to check for commands or queries.

  • Apple Push Notification Service (APNS) is a highly efficient service created by Apple to enable communication from a third-party service to Apple devices.
  • Firebase Cloud Messaging (FCM), previously known as Google Cloud Messaging (GCM), is Google’s notification service used to send notifications to not only Android devices but iOS and Chrome web apps.
  • Windows Push Notification Services (WNS), developed by Microsoft, allows communication between a third-party service and any Windows devices, including Windows Phones, PCs, and Xbox consoles.

Integrations

Hexnode combines a plethora of enterprise and technology solutions to deliver the ultimate device management experience. It enables seamless integrations with solutions, such as Apple Business Manager, Android Enterprise, Samsung Knox, and more to simplify device onboarding and management. It also integrates with directory services like Microsoft Active Directory, Azure AD, G Suite, and Okta to let you easily import your directories to the MDM console.

Zendesk

Hexnode’s integration with Zendesk enables users to leverage the management suite in Hexnode from the Zendesk Support console. You can manage and view devices associated with a particular user along with the raised tickets through the Hexnode plugin on the Zendesk console. With this integration, you can execute several management actions, such as Scan Device, Scan Device Location, Lock Device, Wipe Device, and so on. Thus, handling queries through tickets and performing MDM actions can be achieved simultaneously from the support platform.

Endpoints

The endpoints can be personal or corporate-owned devices of employees that need to be managed in an organization.

Hexnode’s Architecture for Android devices

Hexnode provides extensive management functions for Android 4.1+ devices. The Hexnode MDM app is the end-user component that acts as the agent app for communication between the MDM server and the Android devices. With this agent app installed on the Android devices, an admin can remotely define configurations, check device compliances, wipe, or lock devices, etc. Ensure to keep the required ports open for managing Android devices.

  1. To communicate with a managed device running the Hexnode MDM app, Hexnode sends a silent notification via the Firebase Cloud Messaging (FCM) to that device.
  2. Once the devices are notified via FCM, they will connect directly to Hexnode MDM over the standard HTTPS protocol with strict certificate validation. Hexnode will now send commands to the device.
  3. The device will execute the commands and report the data back to the Hexnode server.

UEM architecture for hexnode mdm android devices

Ports

  • Communications for enrolling and managing devices use HTTPS on TCP 443.
  • Hexnode uses standard FCM ports and services (Ports 5228, 5229, and 5230). The port 1883 (outbound) can be used for devices without FCM.
Port Number Inbound/Outbound Source Destination Description
8998 Outbound AD Agent Hexnode Cloud AD Agent Service
443 Bidirectional Android Devices
  • *.samsungknox.com
  • *.secb2b.com
  • *.samsung.com
Samsung Knox Enrollment
443 Bidirectional Android Device www.googleapis.com Zero-touch Enrollment
443 Bidirectional Android Device
  • *play.googleapis.com
  • *.googleusercontent.com
  • android.clients.google.com
  • *.ggpht.com
  • *.gvt1.com
  • com.android.providers.downloads
App Management
443 Bidirectional Hexnode Cloud Devices HTTPS port used for secure and encrypted communication between Hexnode server and devices
443 Bidirectional Devices
  • s3.eu.central-1.amazonaws.com
  • s3.amazonaws.com
HTTPS port used for file, app management.
443 Bidirectional Devices
  • *.manage.microsoft.com
  • *api.office.com
  • *go.microsoft.com
  • *login.windows-ppe.net
  • *secure.aadcdn.
    microsoftonline-p.com
  • *vortex.data.microsoft.
    com
HTTPS port used for Office365 Login.
5228, 5229, 5230 Bidirectional Android Devices Internet Receive push notifications via Firebase Cloud Messaging (FCM)
3478 (TCP and UDP), 5349 (TCP) Bidirectional Android Devices
  • global.stun.twilio.com
  • global.turn.twilio.com
Simple Traversal of UDP Through NAT (STUN) port for Remote View support, STUN over TLS for Remote View support.
443 Bidirectional Android Devices remoteview.hexnodemdm.
com
Remote View Server

Hexnode’s Architecture for Apple devices

Hexnode supports management of the following Apple devices:

  • iOS 4.0 and later
  • macOS 10.7 and later
  • tvOS 6.0 and later

Hexnode leverages the Apple Push Notification service (APNs) to manage Apple devices. APNs certificate installed in the Hexnode server ensures that the managed devices communicate through a secure channel using Apple Push Notification Service. The Apple devices use TLS based authentication to connect to the Hexnode server. Make sure to enable the required ports for managing Apple endpoints.

  1. Hexnode initiates the communication by sending a notification to the APNs server to wake up the managed device (via TCP port 443).
  2. For Apple devices to receive APNs notifications, the devices should maintain a live TCP outbound connection to APNs on port 5223. Make sure that this port remains open because, in some cases, your Wi-Fi router may block this port, preventing notifications from reaching the devices.
  3. The device listens for the commands, policy settings, and configurations sent by Hexnode.
  4. The device will execute the commands, apply the configurations/policies, and report the data back to the Hexnode server.

UEM architecture for hexnode mdm apple devices

Ports

  • Communications for enrolling and managing devices use HTTPS on TCP 443.
  • Port 80 is the default application port used during the installation of Hexnode.
  • Hexnode uses the port TCP 443 to communicate with APNs (Host Address is gateway.push.apple.com).
  • If the Apple devices are connected to the internet through Wi-Fi and fail to receive APNs notifications, there are chances that the firewall in your network blocks the outbound port 5223. Make sure that this port remains open to TCP traffic for notifications to work.
Note:


Legacy port 2195 earlier used for communicating with APNs is deprecated from March 2021.

Port Number Inbound/Outbound Source Destination Description
8998 Outbound AD Agent Hexnode Cloud AD Agent Service
443 Bidirectional Apple Devices mesu.apple.com HTTPS port used for secure and encrypted communication between Hexnode server and Apple devices.
443 Bidirectional Hexnode Cloud Devices HTTPS port used for secure and encrypted communication between Hexnode server and devices
443 Bidirectional Devices
  • s3.eu.central-1.amazonaws.com
  • s3.amazonaws.com
HTTPS port used for file, app management.
443 Bidirectional Devices
  • *.manage.microsoft.com
  • *api.office.com
  • *go.microsoft.com
  • *login.windows-ppe.net
  • *secure.aadcdn.
    microsoftonline-p.com
  • *vortex.data.microsoft.
    com
HTTPS port used for Office365 Login.
3478 (TCP and UDP), 5349 (TCP) Bidirectional iOS Devices
  • global.stun.twilio.com
  • global.turn.twilio.com
Simple Traversal of UDP Through NAT (STUN) port for Remote View support, STUN over TLS for Remote View support.
443 Bidirectional iOS Devices remoteview.hexnodemdm.
com
Remote View Server
5223 Inbound Apple Devices 17.0.0.0/8 Apple Push Notification service (APNs) for Apple devices.
Notes:


Allow access for the entire 17.0.0.0/8 address block as Apple may use any address from the range for pushing notifications.

Or you may open access to the following network ranges via the same ports:

IPv4

  • 17.249.0.0/16
  • 17.252.0.0/16
  • 17.57.144.0/22
  • 17.188.128.0/18
  • 17.188.20.0/23
  • IPv6

  • 2620:149:a44::/48
  • 2403:300:a42::/48
  • 2403:300:a51::/48
  • 2a01:b740:a42::/48
  • Hexnode’s Architecture for Windows devices

    Hexnode offers comprehensive support for Windows PCs running Windows 10 and later versions. It makes use of the Windows Push Notification Service (WNS) to send notifications to Windows devices. The devices then communicate with the server using TLS based authentication. Ensure to enable the required ports required for effective management of Windows devices.

    1. Hexnode initiates communication with Windows devices by sending notifications via the WNS channel.
    2. Once notified, the devices directly ping the Hexnode server for tasks or queries. The server will then send commands or actions to the devices.
    3. The device will execute the commands sent by Hexnode and report the data back to the Hexnode server via the notification service channel.

    UEM architecture for hexnode mdm windows devices

    Ports

    • TCP port 443 is used in the case of the Windows Notification Service.
    Port Number Inbound/Outbound Source Destination Description
    8998 Outbound AD Agent Hexnode Cloud AD Agent Service
    443 Bidirectional Windows Devices
    • *.notify.live.net
    • *.wns.windows.com
    • *.notify.windows.com
    HTTPS port used for secure and encrypted communication between Hexnode server and Windows devices.
    443 Bidirectional Hexnode Cloud Devices HTTPS port used for secure and encrypted communication between Hexnode server and devices
    443 Bidirectional Devices
    • s3.eu.central-1.amazonaws.com
    • s3.amazonaws.com
    HTTPS port used for file, app management.
    443 Bidirectional Devices
    • *.manage.microsoft.com
    • *api.office.com
    • *go.microsoft.com
    • *login.windows-ppe.net
    • *secure.aadcdn.
      microsoftonline-p.com
    • *vortex.data.microsoft.
      com
    HTTPS port used for Office365 Login.