Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Security & Zero Trust

Category filter

Location-Based Compliance Policies: Architecting Geofenced Endpoint Security

Jump To

Overview: Automated Containment for High-Security Environments

In high-security sectors—such as R&D labs, healthcare facilities, or financial trading floors—corporate devices are often loaded with sensitive Intellectual Property (IP) or regulated data. The operational mandate is clear: These devices must never leave the building. If a device crosses the physical threshold of the facility, whether by accidental employee negligence or malicious theft, IT needs an immediate, zero-touch response to secure the data.

Hexnode UEM allows administrators to solve this by architecting a “Lock-on-Exit” perimeter. By combining Geofencing, Device Compliance routing, and Hexnode’s Automate feature, you can build a self-enforcing security boundary that instantly locks the hardware the moment it leaves the authorized zone.

Here is how to architect this solution.

Pre-requisites:


Enable Location Tracking: For Hexnode’s geofencing and real-time scanning to function, the devices must be actively reporting their coordinates. Before proceeding, ensure you have a baseline Location Tracking policy configured and associated with your high-security device fleet.

Phase 1: Drawing the Invisible Perimeter (Geofencing & Policies)

The Objective: Teach Hexnode exactly where the “safe zone” is and assign those boundaries to your high-security hardware fleet.

The Hexnode Mechanism: We start by defining a geographic boundary. Hexnode allows you to drop a custom polygon fence (perfect for tracing the exact shape of a corporate campus or building) or a standard circular radius (between 100 and 6500 meters).

The Execution:

  1. Define the Zone: Navigate to Admin > Geofencing and create your fence. Use the polygon tool to trace the exact perimeter of your secure facility (e.g., “R&D Facility Alpha”).
  2. Bind the Fence to the Fleet: From the Policies tab, configure a baseline security policy for your hardware. Because Hexnode’s geofencing capabilities span across iOS, Android, Windows, macOS, and visionOS, you can secure a highly diverse fleet. Within the policy configuration for your respective platforms, navigate to Tracking and Fencing > Geofencing, attach the “R&D Facility Alpha” boundary, and deploy the policy to your high-security device groups. Hexnode is now actively monitoring their location relative to this specific building.

Phase 2: Defining the Rules of Engagement (Compliance)

The Objective: Geofencing alone just tells the system where the device is. Now, we need to instruct Hexnode that crossing this specific boundary is a critical security violation.

The Hexnode Mechanism: We use a Compliance Policy to shift the device’s internal status from “Healthy” to “Non-Compliant” if it breaks the geographic rule.

The Execution:

  1. Go to Policies > Compliance Policy > New Policy and create a new rule for your target platforms.
  2. Under the Basic Settings, enable the rule for “Device moves out of geofence“.
  3. Apply this to your target devices.

At this stage, if a device leaves the building, Hexnode registers the breach and formally flags the device as “Non-Compliant.” However, it hasn’t actually done anything to the device yet. That requires the final phase.

Phase 3: Arming the Trap (Automated Remediation)

The Objective: We need Hexnode to execute an immediate defensive action the split-second the compliance violation occurs, without waiting for an IT admin to wake up, read an alert, and push a button.

The Hexnode Mechanism: We use the Automate engine to act as a listener. It listens for the specific compliance failure we set up in Phase 2 and fires a remote command in response.

The Execution:

  1. Navigate to the Automate tab and create a New Automation (e.g., “Defensive Lock: R&D Exit”).
  2. The Action: First, define what the system should do. Scroll to the Security actions section. Here you have two strategic choices depending on your security posture:
    1. Lock Device (Standard Response): Sends the device to the lock screen, securing it behind the user’s existing passcode or biometric. You can also configure a custom message to display on the screen (e.g., “Device locked by IT“). However, the employee can still unlock the device if they enter their PIN.
    2. Enable Lost Mode (Strict Response): Completely locks the user out of the hardware, overriding their normal PIN. You can configure a custom warning on the screen (e.g., “Unauthorized Removal. Return to Security Desk immediately.“), and the device will remain completely frozen until an IT admin explicitly disables Lost Mode directly from the Hexnode UEM portal.
  3. The Trigger: Next, define exactly when the lock should happen. Set the automation to trigger based on Activity and specifically select the On Location Non-Compliance event.
  4. Target this automation at your high-security device groups and activate it.

The Workflow in Action (The Result)

An employee finishes their shift and accidentally packs a corporate R&D tablet into their backpack. They walk out the front doors and head toward the parking lot.

  1. The Tripwire: The Hexnode agent detects the GPS coordinates have crossed the polygon boundary established in Phase 1.
  2. The Flag: The Compliance Policy from Phase 2 instantly flags the device as “Location Non-Compliant.”
  3. The Response: The Automation engine catches the flag and instantly fires the remote command over the air before the employee even reaches their car.
    1. If Lock Device was selected, the screen goes black, displays your custom message, and secures the corporate IP behind the standard lock screen.
    2. If Lost Mode was triggered, the tablet completely freezes, disables normal user access, and prominently displays your security warning. The device is effectively a brick until IT investigates the breach and manually disables Lost Mode from the Hexnode portal.

Post-Incident Diagnostics: Tracking the Asset

Once a device has tripped the wire and locked itself, security teams will need to locate the physical hardware.

Instead of relying on historical location data or waiting for the next scheduled ping, an IT admin can intervene manually to track the locked device. By navigating to Manage > Devices, selecting the locked tablet, and using the Actions > Scanning & Monitoring > Scan Device Location remote action, Hexnode forces the device’s GPS hardware to immediately report its real-time coordinates, allowing your team to easily retrieve the secured asset.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework