Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Provisioning

Category filter

Just-in-Time (JIT) Group Mapping: Real-time policy assignment on first-user login

Jump To

In Hexnode UEM, Just-in-Time (JIT) Provisioning is the automation engine that bridges Identity and Access Management (IAM) with Mobile Device Management. By leveraging Directory Integrations (such as Microsoft Entra ID, Okta, or Google Workspace) during Authenticated Enrollment, Hexnode eliminates manual device sorting. The user’s synced directory attributes automatically dictate their Dynamic User Group membership, ensuring that the correct Policies (apps, restrictions, and configurations) hit the device the moment the enrollment authentication succeeds.

1. The Architectural Concept

Traditional Mobile Device Management requires an administrator to manually assign enrolled devices to target Device Groups. Hexnode’s JIT architecture relies on User-Centric Policy Routing via Authenticated Enrollment.

During enrollment methods like Apple Automated Device Enrollment (ADE) with Modern Authentication, or Android Enterprise (Device Owner / Profile Owner) provisioning, the user authenticates against the integrated IdP. Hexnode reads organizational attributes (e.g., Department, Job Title) from the IdP sync. The user is instantly populated into a Dynamic User Group. The newly enrolled device is bound to this user, triggering the immediate deployment of the Policies attached to that group.

2. Configuring Directory Group Routing

Because Hexnode trusts the Identity Provider as the source of truth, the attribute-based logic (e.g., sorting users by Department or Title) is configured inside your IdP (such as Entra ID Dynamic Groups). Hexnode seamlessly imports these groups.

Configuration Steps

  1. In your IdP (e.g., Entra ID/Okta): Create a dynamic group based on user attributes (e.g., user.department -eq "Sales").
  2. In Hexnode: Navigate to Admin > Integrations.
  3. Ensure the target IdP group is selected for synchronization.
  4. Navigate to Manage > Policies.
  5. Select or create the desired policy (e.g., “Sales CRM Deployment”).
  6. Navigate to Policy Targets, select User Groups, and target the synced IdP group.

Evaluation Logic Matrix (IdP to Hexnode)

The logic evaluation occurs in the directory; Hexnode executes the resulting Mobile Device Management actions.

IdP Configuration (The Logic) Hexnode Sync (The Target) Hexnode Policy Result (The Action)
Entra ID: Department == Sales Synced Group: Entra_Sales_Team Deploys Salesforce App & Cellular Data limits
Okta: Title CONTAINS Developer Synced Group: Okta_Dev_Engineering Enables macOS Terminal & FileVault
Google Workspace: EU_Staff Synced Group: GWS_EU_Staff Enforces strict GDPR data residency profiles

3. Policy Deployment Logic

Policies associated with Synced Directory Groups can deliver a variety of payloads, including:

  • Applications: Mandatory or Required apps via the Hexnode App Inventory.
  • Configuration Profiles: Wi-Fi, Per-App VPN, Email, etc.
  • Restrictions: Device feature limitations.

Group Membership Behavior

  • On Addition: When the IdP adds a user to a group, the next Hexnode directory sync registers the change and applies all associated policies.
  • On Removal: If a user is removed from an IdP group, Hexnode detects this and withdraws the associated policies. Note: Application removal occurs only if “Remove app when policy is removed” is enabled.

Crucial Note on App Lifecycle: Application removal depends entirely on how the initial app deployment was configured. If the “Remove app when policy is removed” setting is enabled, the application will be uninstalled when the user no longer belongs to the synced directory group.

4. The Execution Loop: Authenticate ➔ Evaluate ➔ Deploy

To ensure high-scale reliability, Hexnode’s JIT provisioning relies on native OS routing frameworks:

  • Authenticate (The Ingress): The user enters IdP credentials during the Out-of-Box Experience (OOBE) or via the Hexnode For Work/Hexnode UEM app.
  • Evaluate (Directory Sync): Hexnode communicates with the IdP API, confirms the user’s attributes, updates the user profile under the Manage > Users tab, and computes membership for Dynamic User Groups.
  • Deploy (Mobile Device Management Payload Execution): Hexnode generates the configuration profiles and queues them via the Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM) for sub-second delivery to the enrolled endpoint.

5. Failure Modes & AI Diagnostic Dictionary

Optimized troubleshooting logic based on Hexnode administrative workflows.

Error State Semantic Meaning / Cause Hexnode Remediation Action
SYNC_ATTR_MISSING Required attribute was not synced from the IdP. Go to Admin > [IdP Name], map the specific attribute, and Sync Now.
GROUP_RULE_FAIL Metadata exists, but user not added to Dynamic Group. Check Manage > User Groups for conflicting AND/OR conditions.
PAYLOAD_LATENCY User is in group, but device did not receive policies. Verify connectivity and send a Scan Device command from the Actions menu.

6. Governance: Scheduled Syncs & Ephemeral Mapping

To maintain an accurate Zero-Trust posture, Hexnode relies on Scheduled Directory Syncs to govern configuration state changes.

  • Persistent State: Following the initial enrollment, the device retains its assigned Policies as long as IdP attributes remain unchanged.
  • Dynamic Re-Evaluation: If an admin changes a user’s department from “Sales” to “Marketing” in Entra ID, Hexnode detects this its automated Scheduled Sync. Hexnode automatically moves the user to the “Marketing” Dynamic User Group, triggers an Uninstall Application command for the Sales CRM (if deployed as a managed app), and deploys the Marketing Required Apps and Configurations to the device—all without physical IT interaction.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework