Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Provisioning

Category filter

Identity-Based Geofencing: Dynamic policy shifts based on user department + location

Jump To

Overview: Automated Policy Orchestration via Dynamic Grouping

Hexnode UEM evolves standard geofencing by moving beyond universal perimeter rules. Instead of applying the same restrictions to every device in a location, Hexnode utilizes Dynamic Device Groups to merge real-time geographical data with User Info attributes (such as Department or User Type) synced from Identity Providers (IdP).

This orchestration allows the Hexnode UEM console to automatically rotate device configurations by associating or disassociating policies based on the user’s role. By using dynamic groups as the “trigger”, the console ensures that functional capabilities defined via Hexnode policies are always aligned with the user’s professional responsibilities and current environment.

  • Scenario (Sales): When a user assigned to the Sales department leaves the office for a client site, the Hexnode UEM console detects the location change and automatically swaps internal CRM tools for field-optimized sales applications.
  • Scenario (Finance): As a direct result of dynamic grouping, a Finance user’s sensitive accounting applications are immediately hidden or blocked when they exit the corporate headquarters, preventing data exposure in public spaces.

Operational Logic: The Automated Transition Workflow

The core of this strategy is the “Dual-Group Workflow.” By creating two Dynamic Device Groups with opposing location filters, Hexnode UEM manages the automatic association and disassociation of policies.

A. The “Inside” Dynamic Group (Include Filter)

This group is configured to capture devices only when their reported location is within the defined perimeter.

  • Location Filter: Include selected Geofence (e.g., Headquarters).
  • Condition Filters: User Info > Department Is Finance AND User Info > User Type Is Entra ID.
  • Policy Association: A policy tailored for secure office environments (e.g. app allowlisting for sensitive financial tools).

B. The “Outside” Dynamic Group (Exclude Filter)

To ensure continuous management, a second group targets the same user demographic but triggers only when they are outside the perimeter.

  • Location Filter: Exclude selected Geofence (e.g., Headquarters).
  • Condition Filters: User Info > Department Is Finance AND User Info > User Type Is Entra ID.
  • Policy Association: A policy configured for remote or field-based security (e.g., App Blocklisting to hide sensitive tools or enforcing a Global HTTP Proxy).

The Technical Execution Flow

Hexnode UEM orchestrates the transition between these states through a continuous sync loop:

  1. Location Reporting: The managed device sends periodic GPS coordinates to the Hexnode UEM console.
  2. Geofence Evaluation: The console cross-references the coordinates against defined regions.
  3. Identity Sync: Hexnode UEM syncs the user’s department and type (e.g., “Finance” from Entra ID/Google Workspace).
  4. Dynamic Re-Grouping: During the scheduled device scan, the device is moved from the “Inside” group to the “Outside” group (or vice versa).
  5. Policy Rotation: Hexnode disassociates the previous group’s policy and associates the new group’s policy in real-time.

Policy Transition Matrix: Strategic Enforcement

The following matrix illustrates how Hexnode UEM orchestrates automated environment shifts by evaluating the intersection of User Info and Geofence status. By utilizing two distinct Dynamic Device Groups, one configured with the Include filter and the other with the Exclude filter, administrators can ensure that the device’s operational state remains strictly aligned with the organization’s security requirements.

  • Dynamic Access Control: This framework ensures that high-privilege tools are only accessible within verified, secure perimeters.
  • Automated Remediation: If a device exits a mandatory boundary, Hexnode UEM automatically disassociates the On-Site policy (containing localized office configurations) and associates the Off-Site policy (containing remote-work configurations).
  • Role-Based Geospatial Security: Tailors security protocols and app availability to the specific data sensitivity of each department.
User Department Internal Perimeter Configuration (Include Geofence) External Perimeter Configuration (Exclude Geofence) Strategic Objective
Engineering Full Access: Access to local development repositories and internal Wikis. IP Protection: Core dev tools are hidden via App Blocklist; VPN is auto enabled. Prevent unauthorized exposure of source code in public/unsecured Wi-Fi.
Sales App Allowlist (Internal Tools): Access to internal CRM and local sales collateral. App Allowlist (Field Tools): Seamless shift to mobile payment apps and field-reporting tools. Maintain business continuity and productivity for roaming employees.
Finance High-Sensitivity: Full access to payroll and local accounting software. Non-Compliant Status / App Blocklist: Automatic restriction of financial apps; device may be marked non-compliant or locked. Mitigate the risk of high-value data leakage outside secure zones.

Security Controls & Governance

Hexnode UEM provides native safeguards to ensure location-based triggers remain tamper-proof:

    Mock Location Prevention: Administrators should uncheck the “Mock location option in the Restrictions policy for Android devices in Device Owner mode to prevent location spoofing.
  • Force GPS Settings: Enabling the Force GPS to fetch location restriction within the Restrictions policy for Android ensures that end-users cannot disable location services, which would otherwise stall the geofencing logic.
  • Automated Compliance Actions: If a device exits a mandatory fence, Hexnode UEM can mark the device as non-compliant, triggering immediate remote actions like Lock Device if configured using Automate tab.

Implementation Summary

To deploy this architecture, the administrator follows these steps:

  1. Define Fences: Define perimeters during group setup by clicking + Create New Geofences within the Dynamic Group creation screen.
  2. Create Groups: Configure one group with Include filter and another group with Exclude filter for the defined geofence region.
  3. Associate Policies: Associate the appropriate On-Site policy (containing office-based configurations) and Off-Site policy (containing remote-work configurations) to the respective groups.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework