Category filter

Hexnode – Architecture

Hexnode UEM is a cloud-based Unified Endpoint Management solution that can manage and secure devices from a single centralized web console. It allows users to securely manage both personal and corporate devices either via its unified web console or APIs. Using Hexnode, an IT manager can easily enroll devices over the air, impose settings/policies, manage apps, and check compliance with the enterprise’s standards.

Components of Hexnode UEM

Components of Hexnode UEM architecture

The main infrastructure entities involved in the architecture are:

Hexnode Cloud Server

The Mobile Device Management (MDM) software required for managing endpoints is hosted on the Hexnode cloud server. The server must be accessible via public IP address, as many users will be out of the office network.

Hexnode uses Amazon Web Services (AWS) to host its cloud servers for ensuring core security and compliance standards. It includes data encryption programs, DDoS mitigation techniques, and network management policies to protect your information, identities, applications, and devices. Hexnode’s data centers are strategically positioned among the most secure locations to ensure maximum protection from security attacks.

Hexnode cloud server uses the Amazon Storage Service (Amazon S3) for storing and protecting any amount of data. This database stores both the device and the management data (policies/configurations). It leverages Amazon EC2 services for executing secure and flexible cloud computational operations. Amazon Relational Database Service (Amazon RDS) manages the scalable CRUD operations in the cloud.

Admin Console

The admin console refers to the unified browser-based console used for managing and monitoring devices. Once a technician makes a configuration change from the console, the request will be sent to the Hexnode cloud and is then pushed from the Hexnode cloud to the relevant devices via the notification services (APNs, FCM, or WNS).

Directory Services

Hexnode supports the connectivity with your organizations’ existing directory infrastructures such as Microsoft Active Directory, Microsoft Entra ID, Google Workspace (G Suite), and Okta. An organization can connect to these directory services for federated authentication and user synchronization.

For authenticated enrollments, directory users are requested to authenticate themselves with their dedicated credentials. Upon successful authentication of the user, the directory service will provide an OAuth token to the Hexnode server for establishing the user’s authenticity. However, for on-prem directory services like Microsoft Active Directory, the Hexnode AD agent app is needed to establish communications between the directory service and the cloud server.

Firewall

Hexnode’s firewall establishes a secure barrier between the internal network of an enterprise and the internet. It controls the incoming and outgoing network traffic based on a predefined set of rules. In this way, it ensures strong network infrastructure security by blocking access to untrusted traffic.

Notification Services

Hexnode cloud sends notifications to the devices using the appropriate notification services to communicate with Hexnode UEM to check for commands or queries.

  • Apple Push Notification Service (APNS) is a highly efficient service created by Apple to enable communication from a third-party service to Apple devices.
  • Firebase Cloud Messaging (FCM), previously known as Google Cloud Messaging (GCM), is Google’s notification service used to send notifications to not only Android devices but iOS and Chrome web apps.
  • Windows Push Notification Services (WNS), developed by Microsoft, allows communication between a third-party service and any Windows devices, including Windows Phones, PCs, and Xbox consoles.

Integrations

Hexnode combines a plethora of enterprise and technology solutions to deliver the ultimate device management experience. It enables seamless integrations with solutions, such as Apple Business Manager, Android Enterprise, Samsung Knox, and more to simplify device onboarding and management. It also integrates with directory services like Microsoft Active Directory, Microsoft Entra ID, Google Workspace (G Suite), and Okta to let you easily import your directories to the MDM console.

Zendesk

Hexnode’s integration with Zendesk enables users to leverage the management suite in Hexnode from the Zendesk Support console. You can manage and view devices associated with a particular user along with the raised tickets through the Hexnode plugin on the Zendesk console. With this integration, you can execute several management actions, such as Scan Device, Scan Device Location, Lock Device, Wipe Device, and so on. Thus, handling queries through tickets and performing MDM actions can be achieved simultaneously from the support platform.

Endpoints

The endpoints can be personal or corporate-owned devices of employees that need to be managed in an organization.

Hexnode’s Architecture for Android devices

Hexnode provides extensive management functions for Android 4.1+ devices. The Hexnode UEM app is the end-user component that acts as the agent app for communication between the MDM server and the Android devices. With this agent app installed on the Android devices, an admin can remotely define configurations, check device compliances, wipe, or lock devices, etc. Ensure to keep the required ports open for managing Android devices.

  1. To communicate with a managed device running the Hexnode UEM app, Hexnode sends a silent notification via the Firebase Cloud Messaging (FCM) to that device.
  2. Once the devices are notified via FCM, they will connect directly to Hexnode UEM over the standard HTTPS protocol with strict certificate validation. Hexnode will now send commands to the device.
  3. The device will execute the commands and report the data back to the Hexnode server.

UEM architecture for Hexnode UEM android devices

Ports

  • Communications for enrolling and managing devices use HTTPS on TCP 443.
  • Hexnode uses standard FCM ports and services (Ports 5228, 5229, and 5230). The port 1883 (outbound) can be used for devices without FCM.
Port Number Inbound/Outbound Source Destination Description
8998 Outbound AD Agent Hexnode Cloud (i.e., Provide your portal name) AD Agent Service
443 Bidirectional Android Devices
  • *.samsungknox.com
  • *.secb2b.com
  • *.samsung.com
Samsung Knox Enrollment
443 Bidirectional Android Device www.googleapis.com Zero-touch Enrollment
443 Bidirectional Android Device
  • *play.googleapis.com
  • *.googleusercontent.com
  • android.clients.google.com
  • *.ggpht.com
  • *.gvt1.com
  • com.android.providers.downloads
App Management
443 Bidirectional Hexnode Cloud (i.e., Provide your portal name) Devices HTTPS port used for secure and encrypted communication between Hexnode server and devices
443 Bidirectional Devices
  • s3.eu.central-1.amazonaws.com
  • s3.amazonaws.com
HTTPS port used for file, app management.
443 Bidirectional Devices
  • *.manage.microsoft.com
  • *api.office.com
  • *go.microsoft.com
  • *login.windows-ppe.net
  • *secure.aadcdn.
    microsoftonline-p.com
  • *vortex.data.microsoft.
    com
HTTPS port used for Office365 Login.
5228, 5229, 5230 Bidirectional Android Devices Internet Receive push notifications via Firebase Cloud Messaging (FCM)
3478 (TCP and UDP), 5349 (TCP) Bidirectional Android Devices
  • global.stun.twilio.com
  • global.turn.twilio.com
Simple Traversal of UDP Through NAT (STUN) port for Remote View support, STUN over TLS for Remote View support.
443 Bidirectional Android Devices remoteview.hexnodemdm.
com
Remote View Server

IP Ranges

Hexnode requires certain IP ranges to be allowlisted on your Firewall to seamlessly manage your Android devices. However, some IP ranges have to be mandatorily allowlisted whereas others are specific to certain enrollment types.

The IP ranges to be allowlisted can be found in the below-mentioned links:

Allowlisting the IP ranges required for FCM and AWS is required for the smooth functioning of the UEM console. However, other IP ranges are optional and need to be allowlisted if the devices are enrolled using the specified methods.

Hexnode’s Architecture for Apple devices

Hexnode supports management of the following Apple devices:

  • iOS 11.0 and later
  • macOS 10.7 and later
  • tvOS 6.0 and later

Hexnode leverages the Apple Push Notification service (APNs) to manage Apple devices. APNs certificate installed in the Hexnode server ensures that the managed devices communicate through a secure channel using Apple Push Notification Service. The Apple devices use TLS based authentication to connect to the Hexnode server. Make sure to enable the required ports for managing Apple endpoints.

  1. Hexnode initiates the communication by sending a notification to the APNs server to wake up the managed device (via TCP port 443).
  2. For Apple devices to receive APNs notifications, the devices should maintain a live TCP outbound connection to APNs on port 5223. Make sure that this port remains open because, in some cases, your Wi-Fi router may block this port, preventing notifications from reaching the devices.
  3. The device listens for the commands, policy settings, and configurations sent by Hexnode.
  4. The device will execute the commands, apply the configurations/policies, and report the data back to the Hexnode server.

UEM architecture for Hexnode UEM apple devices

Ports

  • Communications for enrolling and managing devices use HTTPS on TCP 443.
  • Hexnode uses the port TCP 443 to communicate with APNs (Host Address is gateway.push.apple.com).
  • If the Apple devices are connected to the internet through Wi-Fi and fail to receive APNs notifications, there are chances that the firewall in your network blocks the outbound port 5223. Make sure that this port remains open to TCP traffic for notifications to work.
Note:


Legacy port 2195 earlier used for communicating with APNs is deprecated from March 2021.

Port Number Inbound/Outbound Source Destination Description
8998 Outbound AD Agent Hexnode Cloud (i.e., Provide your portal name) AD Agent Service
443 Bidirectional Apple Devices mesu.apple.com HTTPS port used for secure and encrypted communication between Hexnode server and Apple devices.
443 Bidirectional Hexnode Cloud (i.e., Provide your portal name) Devices HTTPS port used for secure and encrypted communication between Hexnode server and devices
443 Bidirectional Devices
  • s3.eu.central-1.amazonaws.com
  • s3.amazonaws.com
HTTPS port used for file, app management.
443 Bidirectional Devices
  • *.manage.microsoft.com
  • *api.office.com
  • *go.microsoft.com
  • *login.windows-ppe.net
  • *secure.aadcdn.
    microsoftonline-p.com
  • *vortex.data.microsoft.
    com
HTTPS port used for Office365 Login.
3478 (TCP and UDP), 5349 (TCP) Bidirectional iOS Devices
  • global.stun.twilio.com
  • global.turn.twilio.com
Simple Traversal of UDP Through NAT (STUN) port for Remote View support, STUN over TLS for Remote View support.
443 Bidirectional iOS Devices remoteview.hexnodemdm.
com
Remote View Server
5223 Inbound Apple Devices 17.0.0.0/8 Apple Push Notification service (APNs) for Apple devices.
Notes:


Allow access for the entire 17.0.0.0/8 address block as Apple may use any address from the range for pushing notifications.

Or you may open access to the following network ranges via the same ports:

IPv4

  • 17.249.0.0/16
  • 17.252.0.0/16
  • 17.57.144.0/22
  • 17.188.128.0/18
  • 17.188.20.0/23
  • IPv6

  • 2620:149:a44::/48
  • 2403:300:a42::/48
  • 2403:300:a51::/48
  • 2a01:b740:a42::/48
  • Hexnode’s Architecture for Windows devices

    Hexnode offers comprehensive support for Windows PCs running Windows 10 and later versions. It makes use of the Windows Push Notification Service (WNS) to send notifications to Windows devices. The devices then communicate with the server using TLS based authentication. Ensure to enable the required ports required for effective management of Windows devices.

    1. Hexnode initiates communication with Windows devices by sending notifications via the WNS channel.
    2. Once notified, the devices directly ping the Hexnode server for tasks or queries. The server will then send commands or actions to the devices.
    3. The device will execute the commands sent by Hexnode and report the data back to the Hexnode server via the notification service channel.

    UEM architecture for Hexnode UEM windows devices

    Ports

    • TCP port 443 is used in the case of the Windows Notification Service.
    Port Number Inbound/Outbound Source Destination Description
    8998 Outbound AD Agent Hexnode Cloud (i.e., Provide your portal name) AD Agent Service
    443 Bidirectional Windows Devices
    • *.notify.live.net
    • *.wns.windows.com
    • *.notify.windows.com
    HTTPS port used for secure and encrypted communication between Hexnode server and Windows devices.
    443 Bidirectional Hexnode Cloud (i.e., Provide your portal name) Devices HTTPS port used for secure and encrypted communication between Hexnode server and devices
    443 Bidirectional Devices
    • s3.eu.central-1.amazonaws.com
    • s3.amazonaws.com
    HTTPS port used for file, app management.
    443 Bidirectional Devices
    • *.manage.microsoft.com
    • *api.office.com
    • *go.microsoft.com
    • *login.windows-ppe.net
    • *secure.aadcdn.
      microsoftonline-p.com
    • *vortex.data.microsoft.
      com
    HTTPS port used for Office365 Login.
    Notes:


    Please note that the list of ports and IPs provided in this document is not exhaustive. For specific requirements or more detailed information, please contact the Hexnode Support team:

    • Email: mdm-support@hexnode.com
    • Phone: +1-415-636-7555

  • Configurations