Category filter
The Identity Anchor: Mapping Native IdP Attributes to Dynamic UEM Groups
The Identity Anchor” is a high-level architectural concept in modern device management. It refers to the process of using your Identity Provider (IdP)—such as Microsoft Entra ID (formerly Azure AD), Google Workspace, or Okta—as the “Single Source of Truth” for your device fleet.
Instead of manually assigning a new hire to a “Marketing” device group, the UEM (Unified Endpoint Management) system acts as an “Anchor.” It watches the user’s attributes in your IdP (like Department, Job Title, or Office Location) and automatically maps that device into the correct Dynamic Group. If a user is promoted or moves from NYC to London, their device automatically pulls the new region’s Wi-Fi, apps, and security settings without IT lifting a finger.
Mapping IdP Attributes to Dynamic Groups
1. Overview
This document outlines how to establish an Identity Anchor within Hexnode UEM. By syncing your Identity Provider (IdP) attributes, you can automate device lifecycle management, ensuring that every user receives the correct resources based on their directory profile.
2. Prerequisites
Before beginning the mapping process, ensure the following are configured:
- Directory Sync: Your IdP (Entra ID, Google Workspace, Okta, or On-Premise AD) must be successfully integrated under Admin > Google Workspace/Okta/Entra ID.
- Sync Interval: Ensure the “Sync Frequency” is set to at least once every 24 hours to capture department changes.
- Attribute Scoping: Confirm that the attributes you wish to use (e.g., User group name or Department) are populated in your IdP.
3. Configuration Steps
Step A: Identify the Source Attribute
Determine which IdP field will serve as your “Anchor.”
- Common Anchors: Department, Country, EmployeeID, or MemberOf (Security Groups).
Step B: Create the Dynamic Group in Hexnode
- Navigate to Manage > Device Groups > New Dynamic Group.
- Provide a clear naming convention (e.g., IDP-SYNC-Finance-Department).
- Under Condition Filters, select User info.
Step C: Define the Mapping Logic
Choose the filter that matches your directory structure:
| Filter Type | Logic Example | Use Case |
|---|---|---|
| Department | is equal to Finance | Pushing specialized accounting software. |
| User group name | contains DevOps_Remote | Applying specific VPN and SSH configurations. |
4. The “Anchor” Effect: Automated Lifecycle
Once the mapping is saved, the “Identity Anchor” logic takes over:
- Onboarding: A user is added to the “Design” department in Entra ID.
- Detection: Hexnode syncs with the IdP and detects the Department: Design attribute.
- Assignment: The device is automatically moved into the “Design” Dynamic Group.
- Deployment: Adobe Creative Cloud and Design-specific Wi-Fi profiles are pushed silently.
- Offboarding: When the user is removed from the department, the device leaves the group, and the software licenses are automatically revoked.
5. Troubleshooting & Validation
- Delayed Mapping: Initiate a manual sync from the Admin tab for the given IdP to ensure the latest directory changes have been pulled from it.
- Null Attributes: If a user’s “Department” field is empty in the IdP, the device will fall into the “Default” or “Unassigned” group.
- Attribute Conflicts: If a user belongs to two departments, ensure your Dynamic Group is configured with exceptions. Hexnode UEM applies the most restrictive policy by default.
6. Best Practices
- Use Group Suffixes: Name your Dynamic Groups with an “IDP-” prefix to distinguish them from manually managed groups.
- Attribute Consistency: Ensure your HR team follows strict naming conventions in the IdP (e.g., “Human Resources” vs “HR”) to avoid split groups.
- Periodic Audits: Run a “User Without Attributes” report monthly to find users with incomplete directory profiles.
