Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Hexnode's Unified Management Vision

Category filter

Just-in-Time Administration: Securing Regional IT Teams

Jump To

In a global estate of 500,000 devices, managing administrative access is critical to minimizing the “Blast Radius” of a compromised account. This document defines the technical framework for securing administrative access, scoping permissions for 500 technicians across 50 sub-companies, and leveraging the native Hexnode-ServiceNow integration to bridge IT service management with endpoint execution.

Logical Architecture: The Native Access Framework

Hexnode secures the administrative environment through a combination of external Identity Providers (IdP), Hexnode’s native Role-Based Access Control (RBAC), and Target Scoping.

  • The Identity Anchor (SSO & MFA): Technicians authenticate via SAML 2.0 integration (e.g., Okta, Microsoft Entra ID). Hexnode natively supports global SSO enforcement under Admin > Technicians and Roles > Single Sign On.
  • The RBAC Engine: Access is governed entirely by Hexnode’s built-in Technician Roles.
  • Target Scoping (Define Scope): Within Custom Roles, technicians are restricted from viewing the entire fleet. Administrators are scoped explicitly to specific Devices, Device Groups, Users, User Groups, or Domains representing their regional OU.

Hexnode Native Role & Scoping Matrix

Access is granted based on: Identity + Hexnode Technician Role + Target Scope.

Hexnode Native Role Built-In vs. Custom Permitted Capabilities Enterprise Use Case
Super Admin Built-In (Primary) Ultimate privileges. Can access all tabs, modify subscriptions, and manage all other technicians. Cannot be deleted. Global IT Director / Tenant Owner
Admin Built-In Full privileges across all tabs and features. Can add/edit other technicians (except Super Admin). Regional IT Directors / Senior SecOps
Apps and Reports Manager Built-In Restricted to the Dashboard, Apps, and Reports tabs only. Cannot modify core policies or execute device wipes. Application Deployment Teams / Software Auditors
Reports Manager Built-In Read-only access restricted entirely to the Dashboard and Reports tabs. Compliance Officers / External Auditors
Custom Role Custom (Ultra/Ultimate) Highly granular. Can be restricted to specific remote actions (e.g., only “Clear Passcode” or “Remote View”). Regional Service Desk / Helpdesk

Execution Logic: The Access & ITSM Workflow

Phase 1: Authentication & Hexnode Scoping

  1. The technician navigates to the Hexnode portal (companyname.hexnodemdm.com).
  2. Authentication is routed through the approved IdP (Google, Microsoft, or Okta).
  3. Upon successful login, Hexnode reads the technician’s assigned role.
    • Example: If an Admin creates a Custom Role for a regional technician and scopes it strictly to the “North America Sales” Device Group, the technician will literally not be able to see devices outside of that group in their Manage tab.

Phase 2: Contextual Action via ITSM (ServiceNow)

To maintain an audit trail without granting broad Hexnode Admin access, routine tasks are executed via the ITSM bridge.

  • Direct Execution: Using the Hexnode integration for ServiceNow, a technician can click remote actions (like “Lock Device” or “Clear Passcode”) directly from the ServiceNow Incident record.
  • Synchronization: Device compliance and telemetry are synced directly to the ServiceNow CMDB, allowing support teams to diagnose issues without needing a Hexnode Admin account.

Phase 3: Auditing & Logging (VERIFY)

  • Action History: Tracks the success/failure state of every remote command sent to a device under the Manage > Action History tab.
  • Audit Logs: A tamper-proof log under Reports > Audit Reports recording Who (Technician Name/Email), What (Action taken), and When (Timestamp).

Governance & Fail-Safe Protocols

  • Active Session Limits: Hexnode restricts technicians to a single active session. If a technician logs in from a second browser, the first session is instantly terminated.
  • Logon Restrictions: To prevent external credential stuffing, Hexnode enforces IP Allowlisting and customized CAPTCHA limits (e.g., trigger CAPTCHA after 3 failed attempts) under Admin > Logon Restrictions.
  • IdP Revocation: If a technician leaves the company, their access is severed at the IdP level, instantly breaking their ability to authenticate into the Hexnode portal via SSO.

Implementation Checklist

  1. Global SSO: Navigate to Admin > Technicians and Roles > Single Sign On and enforce Microsoft/Okta logins.
  2. ServiceNow Sync: Install the Hexnode UEM app from the ServiceNow Store and configure API keys.
  3. Scoping (Device Groups): Create static Device Groups for each of the 50 sub-company portals under the Manage > Device Groups tab.
  4. Custom Roles (If on Ultimate/Ultra): Navigate to Admin > Technicians and Roles > Roles > Add Role. Build granular roles (e.g., allowing only Remote View and Passcode Resets) for the regional helpdesk teams.
  5. Role Assignment: Click Add Technician, assign the appropriate predefined or custom role, and define the scope to bind them exclusively to their regional Device Group.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework