Category filter
Hexnode – Architecture
Hexnode UEM is a cloud-based Unified Endpoint Management solution that can manage and secure devices from a single centralized web console. It allows users to securely manage both personal and corporate devices either via its unified web console or APIs. Using Hexnode, an IT manager can easily enroll devices over the air, impose settings/policies, manage apps, and check compliance with the enterprise’s standards.
Components of Hexnode UEM
Hexnode Cloud Server
The Mobile Device Management (MDM) software required for managing endpoints is hosted on the Hexnode cloud server. The server must be accessible via public IP address, as many users will be out of the office network.
Hexnode uses Amazon Web Services (AWS) to host its cloud servers for ensuring core security and compliance standards. It includes data encryption programs, DDoS mitigation techniques, and network management policies to protect your information, identities, applications, and devices. Hexnode’s data centers are strategically positioned among the most secure locations to ensure maximum protection from security attacks.
Hexnode cloud server uses:
- Amazon Storage Service (Amazon S3) for storing and protecting any amount of data. This database stores both the device and the management data (policies/configurations). It leverages Amazon Lightsail and Amazon EC2 services for executing secure and flexible cloud computational operations.
- Amazon CloudFront to deliver website/application content including static.hexnodemdm.com and downloads.hexnode.com.
- Amazon Relational Database Service (Amazon RDS) to manage scalable CRUD operations in the cloud.
Admin Console
The admin console refers to the unified browser-based console used for managing and monitoring devices. Once a technician makes a configuration change from the console, the request will be sent to the Hexnode cloud and is then pushed from the Hexnode cloud to the relevant devices via the notification services (APNs, FCM, WNS, or MQTT).
Directory Services
Hexnode supports the connectivity with your organizations’ existing directory infrastructures such as Microsoft Active Directory, Microsoft Entra ID, Google Workspace, and Okta. An organization can connect to these directory services for federated authentication and user synchronization.
For authenticated enrollments, directory users are requested to authenticate themselves with their dedicated credentials. Upon successful authentication of the user, the directory service will provide an OAuth token to the Hexnode server for establishing the user’s authenticity. However, for on-prem directory services like Microsoft Active Directory, the Hexnode AD agent app is needed to establish communications between the directory service and the cloud server.
Firewall
Hexnode’s firewall establishes a secure barrier between the internal network of an enterprise and the internet. It controls the incoming and outgoing network traffic based on a predefined set of rules. In this way, it ensures strong network infrastructure security by blocking access to untrusted traffic.
Notification Services
Hexnode cloud sends notifications to the devices using the appropriate notification services to communicate with Hexnode UEM to check for commands or queries.
- Apple Push Notification Service (APNS) is a highly efficient service created by Apple to enable communication from a third-party service to Apple devices.
- Firebase Cloud Messaging (FCM), previously known as Google Cloud Messaging (GCM), is Google’s notification service used to send notifications to not only Android devices but iOS and Chrome web apps.
- Windows Push Notification Services (WNS), developed by Microsoft, allows communication between a third-party service and any Windows devices, including PCs, and Xbox consoles.
- MQTT is a standards-based messaging protocol used to send notifications to Windows, macOS, and Android devices.
- Pushy is used as a backup push notification provider for Android devices if FCM registration fails.
Integrations
Hexnode combines a plethora of enterprise and technology solutions to deliver the ultimate device management experience. It enables seamless integrations with solutions, such as Apple Business Manager, Android Enterprise, Samsung Knox, and more to simplify device onboarding and management. It also integrates with directory services like Microsoft Active Directory, Microsoft Entra ID, Google Workspace, and Okta to let you easily import your directories to the MDM console.
Zendesk
Hexnode’s integration with Zendesk enables users to leverage the management suite in Hexnode from the Zendesk Support console. You can manage and view devices associated with a particular user along with the raised tickets through the Hexnode plugin on the Zendesk console. With this integration, you can execute several management actions, such as Scan Device, Scan Device Location, Lock Device, Wipe Device, and so on. Thus, handling queries through tickets and performing MDM actions can be achieved simultaneously from the support platform.
Endpoints
The endpoints can be personal or corporate-owned devices of employees that need to be managed in an organization.
Hexnode’s Architecture for Android devices
Hexnode provides extensive management functions for Android 5.0+ devices. The Hexnode UEM app is the end-user component that acts as the agent app for communication between the MDM server and the Android devices. With this agent app installed on the Android devices, an admin can remotely define configurations, check device compliances, wipe, or lock devices, etc. Ensure to keep the required ports open for managing Android devices.
- To communicate with a managed device running the Hexnode UEM app, Hexnode sends a silent notification via FCM, MQTT or Pushy to that device.
- Once the devices are notified, they will connect directly to Hexnode UEM over the standard HTTPS protocol with strict certificate validation. Hexnode will now send commands to the device.
- The device will execute the commands and report the data back to the Hexnode server.
Ports
- Communications for enrolling and managing devices use HTTPS on TCP 443.
- Hexnode uses standard FCM ports and services (Ports 5228, 5229, and 5230). The port 1883 (outbound) can be used for devices without FCM.
- Ports 1883 and 8883 are used to communicate with MQTT.
- Port 53 (TCP/UDP) must be open for DNS resolution. Without DNS, devices cannot reach Hexnode servers or related services.
| Port Number | Inbound/Outbound | Source | Destination | Description |
|---|---|---|---|---|
| 8998 (TCP) | Outbound | AD Agent | Hexnode Cloud (i.e., Provide your portal name) | AD Agent Service |
| 443/80 (TCP) | Outbound | Android Devices |
|
Required for Samsung Knox license validation and enrollment. |
| 443 (TCP) | Outbound | Android Device | www.googleapis.com | Zero-touch Enrollment |
| 443 (TCP) | Bidirectional | Android Device | Destination hosts mentioned in Android Enterprise Network Requirements | App Management |
| 443 (TCP) | Bidirectional | Hexnode Cloud (i.e., Provide your portal name) | Devices | HTTPS port used for secure and encrypted communication between Hexnode server and devices |
| 443 (TCP) | Bidirectional | Devices | Amazon s3 endpoints corresponding to the specific Hexnode UEM portal’s region. | HTTPS port used for file, app management. |
| 443 (TCP) | Outbound | Devices |
|
The “static” domain is used to store assets such as JavaScript, CSS, and images, while the “downloads” domain is used for downloading Hexnode apps. |
| 443 (TCP) | Bidirectional | Devices |
|
HTTPS port used for Office365 Login. |
| 5228, 5229, 5230, 443 (TCP) | Bidirectional | Android Devices | Hostnames mentioned in https://firebase.google.com/docs/cloud-messaging/network-configuration | Receive push notifications via Firebase Cloud Messaging (FCM) |
| 1883, 8883 (TCP) | Outbound | Android Devices |
|
Receive push notifications via MQTT. |
| 443 (TCP) | Outbound | Android Devices |
|
Receive push notifications via Pushy. |
| 443, 3478 (TCP and UDP), 5349 (TCP) | Bidirectional | Android Devices |
|
Simple Traversal of UDP Through NAT (STUN) port for Remote View support, STUN over TLS for Remote View support. |
| 443 (TCP) | Bidirectional | Android Devices |
|
Remote View Server |
IP Ranges
Hexnode requires certain IP ranges to be allowlisted on your Firewall to seamlessly manage your Android devices. However, some IP ranges have to be mandatorily allowlisted whereas others are specific to certain enrollment types.
The IP ranges to be allowlisted can be found in the below-mentioned links:
- FCM (Firebase Cloud Messaging) – https://www.gstatic.com/ipranges/goog.json
- AWS (Amazon Web Services) – https://ip-ranges.amazonaws.com/ip-ranges.json
- Android Enterprise (Optional) – https://bgp.he.net/AS15169#_prefixes
- Samsung Knox (Optional) – Knox Cloud Services can utilize both AWS and FCM for communicating with the UEM server.
Allowlisting the IP ranges required for FCM and AWS is required for the smooth functioning of the UEM console. However, other IP ranges are optional and need to be allowlisted if the devices are enrolled using the specified methods.
Hexnode’s Architecture for Apple devices
Hexnode supports management of the following Apple devices:
- iOS 11.0 and later
- macOS 10.7 and later
- tvOS 6.0 and later
- visionOS 1.1 and later
Hexnode leverages the Apple Push Notification service (APNs) to manage Apple devices. APNs certificate installed in the Hexnode server ensures that the managed devices communicate through a secure channel using Apple Push Notification Service. The Apple devices use TLS based authentication to connect to the Hexnode server. Make sure to enable the required ports for managing Apple endpoints.
- Hexnode initiates the communication by sending a notification to the APNs server to wake up the managed device (via TCP port 443).
- For Apple devices to receive APNs notifications, the devices should maintain a live TCP outbound connection to APNs on port 5223. Make sure that this port remains open because, in some cases, your Wi-Fi router may block this port, preventing notifications from reaching the devices.
- The device listens for the commands, policy settings, and configurations sent by Hexnode.
- The device will execute the commands, apply the configurations/policies, and report the data back to the Hexnode server.
Ports
- Communications for enrolling and managing devices use HTTPS on TCP 443.
- Hexnode uses the port TCP 443 to communicate with APNs (Host Address is “*.push.apple.com”).
- Ports 1883 and 8883 are used to communicate with MQTT.
- If the Apple devices are connected to the internet through Wi-Fi and fail to receive APNs notifications, there are chances that the firewall in your network blocks the outbound port 5223. Make sure that this port remains open to TCP traffic for notifications to work. Learn more.
- Port 53 (TCP/UDP) must be open for DNS resolution. Without DNS, devices cannot reach Hexnode servers or related services.
| Port Number | Inbound/Outbound | Source | Destination | Description |
|---|---|---|---|---|
| 8998 (TCP) | Outbound | AD Agent | Hexnode Cloud (i.e., Provide your portal name) | AD Agent Service |
| 443 (TCP) | Bidirectional | Hexnode Cloud (i.e., Provide your portal name) | Devices | HTTPS port used for secure and encrypted communication between Hexnode server and devices |
| 443 (TCP) | Bidirectional | Devices | Amazon s3 endpoints corresponding to the specific Hexnode UEM portal’s region. | HTTPS port used for file, app management. |
| 443 (TCP) | Outbound | Devices |
|
The “static” domain is used to store assets such as JavaScript, CSS, and images, while the “downloads” domain is used for downloading Hexnode apps. |
| 443 (TCP) | Bidirectional | Devices |
|
HTTPS port used for Office365 Login. |
| 443, 3478 (TCP and UDP), 5349 (TCP) | Bidirectional | iOS Devices |
|
Simple Traversal of UDP Through NAT (STUN) port for Remote View support, STUN over TLS for Remote View support. |
| 443 (TCP) | Bidirectional | iOS Devices |
|
Remote View Server |
| 1883, 8883 (TCP) | Outbound | macOS devices |
|
Receive push notifications via MQTT. |
| 5223 (TCP) | Inbound | Apple Devices | 17.0.0.0/8 | Apple Push Notification service (APNs) for Apple devices. |
Hexnode’s Architecture for Windows devices
Hexnode offers comprehensive support for Windows PCs running Windows 10 and later versions. It makes use of the Windows Push Notification Service (WNS) to send notifications to Windows devices. The devices then communicate with the server using TLS based authentication. Ensure to enable the required ports required for effective management of Windows devices.
- Hexnode initiates communication with Windows devices by sending notifications via the WNS channel.
- Once notified, the devices directly ping the Hexnode server for tasks or queries. The server will then send commands or actions to the devices.
- The device will execute the commands sent by Hexnode and report the data back to the Hexnode server via the notification service channel.
Ports
- TCP port 443 is used in the case of the Windows Notification Service.
- Ports 1883 and 8883 are used to communicate with MQTT.
- Port 53 (TCP/UDP) must be open for DNS resolution. Without DNS, devices cannot reach Hexnode servers or related services.
| Port Number | Inbound/Outbound | Source | Destination | Description |
|---|---|---|---|---|
| 8998 (TCP) | Outbound | AD Agent | Hexnode Cloud (i.e., Provide your portal name) | AD Agent Service |
| 443 (TCP) | Bidirectional | Windows Devices |
|
HTTPS port used for secure and encrypted communication between Hexnode server and Windows devices. |
| 443 (TCP) | Bidirectional | Hexnode Cloud (i.e., Provide your portal name) | Devices | HTTPS port used for secure and encrypted communication between Hexnode server and devices |
| 443 (TCP) | Bidirectional | Devices | Amazon s3 endpoints corresponding to the specific Hexnode UEM portal’s region. | HTTPS port used for file, app management. |
| 443 (TCP) | Outbound | Devices |
|
The “static” domain is used to store assets such as JavaScript, CSS, and images, while the “downloads” domain is used for downloading Hexnode apps. |
| 443 (TCP) | Bidirectional | Devices |
|
HTTPS port used for Office365 Login. |
| 1883, 8883 (TCP) | Outbound | Windows devices |
|
Receive push notifications via MQTT. |
| 443 (TCP) | Bidirectional | Windows devices |
|
Remote View Server |
Hexnode’s Architecture for Linux devices
Hexnode supports Linux devices running major enterprise distributions including Ubuntu, Debian, Fedora, and Linux Mint. Enrollment establishes the necessary communication between Linux endpoints and the Hexnode UEM console. Hexnode uses a CLI-based enrollment method for Linux, ensuring fast and efficient provisioning via terminal commands. Once the Hexnode Linux Agent (HLA) is installed, it establishes a secure, persistent communication channel with the Hexnode UEM server. The agent runs as a systemd daemon, initializes at boot time, and remains fully operational in the terminal.
- Hexnode employs a Dual Channel communication model using MQTT and HTTPS API polling. This design removes dependency on inbound connectivity and ensures command delivery under restrictive network conditions.
- Administrators can execute remote actions such as Lock Device, Execute Custom Script, and more, in real time. The device executes the commands sent by Hexnode and reports data back to the Hexnode server.
- A persistent MQTT socket — an outbound, always-on binary protocol, maintains real-time command readiness without exposing SSH port 22.
Ports
- TCP port 443 is used for HTTPS communications for enrolling and managing devices.
- Ports 1883 and 8883 are used to communicate with MQTT.
- Port 53 (TCP/UDP) must be open for DNS resolution. Without DNS, devices cannot reach Hexnode servers or related services.
| Port Number | Inbound/Outbound | Source | Destination | Description |
|---|---|---|---|---|
| 443 | Bidirectional | Hexnode Cloud (i.e., provide your portal name) | Linux Devices | HTTPS port used for secure communication between the Hexnode server and enrolled Linux devices (/linux-server/ API polling and command delivery). |
| 443 | Outbound | Linux Enrollment Installer (CLI) | Hexnode Cloud (i.e., provide your portal name) | HTTPS port used during device enrollment (/check-auth/, /linux-enroll/, /linux-checkin/). Required for initial agent setup. |
| 443 | Outbound | Linux Devices | Amazon S3 endpoints corresponding to the specific Hexnode UEM portal’s region | HTTPS port used to download the Linux MDM agent binary, enterprise applications, scripts, and other portal-hosted files. |
| 443 | Outbound | Linux Devices | downloads.hexnode.com | HTTPS port used to download Linux feature components such as Remote View Assist, Live Terminal, and Web Content Filtering binaries. |
| 443 | Outbound | Linux Devices | Portal-supplied HTTPS download URL (any host) | HTTPS port used when the portal provides a custom download URL for enterprise apps, agent updates, scripts, or Web Content Filtering binaries. |
| 1883, 8883 | Outbound | Linux Devices | Hostnames listed under MQTT push servers above | MQTT port used to receive real-time push notifications and commands. If blocked, the agent uses HTTPS polling on port 443. |
| 443 | Outbound | Linux Devices | Live Terminal Server (portal-supplied liveTerminalUrl; see Live Terminal servers above) | HTTPS port used for Live Terminal Socket.IO sessions between the device and the Hexnode Live Terminal server (for example, beta-liveterminal.hexnode.com). |
| 443 | Bidirectional | Linux Devices | Remote View Server (portal-supplied remoteViewUrl; see Remote View servers above) | HTTPS port used for Remote View and Remote Control session signaling and data exchange. |
| 443 | Outbound | Linux Devices (Remote View Assist) | http://www.hexnode.com | HTTPS port used to load EULA, privacy policy, terms, and support links in the Remote View client. |
| 443 | Outbound | Linux Devices (Hexnode Access deployments) | Hexnode Cloud (i.e., provide your portal name) | HTTPS port used to download portal assets such as favicon images for Hexnode Access kiosk login (/media/img/favicon.png). |
| 443 | Outbound | Linux Devices (optional — Location tracking) | ipinfo.io | HTTPS port used for IP-based geolocation lookup. |
| 443 | Outbound | Linux Devices (optional — Location tracking) | nominatim.openstreetmap.org | HTTPS port used for reverse geocoding of device coordinates. |
| 443 | Outbound | Linux Devices (optional — Real-time location) | location.services.mozilla.com | HTTPS port used for Wi-Fi-based geolocation. |
| 80 | Outbound | Linux Devices (optional — Real-time location) | ip-api.com | HTTP port used as a fallback for IP-based location lookup. |
| 53 | Outbound | Linux Devices (Web Content Filtering enabled) | 1.1.1.1 | UDP port used by the Hexnode DNS filter service for upstream DNS resolution. |
| 53 | Inbound (local loopback) | Linux Devices (Web Content Filtering enabled) | 127.0.0.1 | UDP port used by the local Hexnode DNS filter listener on the device. Applications on the device resolve DNS through this local service when Web Content Filtering is active. |
| 22 | Inbound (local loopback) | Linux Devices (Live Terminal session active) | 127.0.0.1 | TCP port used for the local SSH connection between the Live Terminal client and the device SSH server during an active Live Terminal session. |
| – | Local (Unix domain socket) | Hexnode Access UI Agent and Linux MDM Agent | /run/mdm_agent/agent.sock, /run/mdm_agent/agent_gui.sock | Local inter-process communication between the UI Agent and MDM Agent on the device. Not an external network connection. |



