Help Center
14 DAY FREE TRIAL
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Incidents
  3. Incidents

Category filter

Manage Incidents from Hexnode: A complete guide

Jump To

In an enterprise environment, incidents represent events that may pose security, compliance, or operational risks to managed devices. These can range from failed policy executions and unauthorized device access attempts to integration issues or configuration errors. Managing such incidents promptly helps IT teams enforce compliance and prevent service disruptions.

The Incidents tab in Hexnode UEM consolidates all these incidents into a single, easy-to-navigate view. It allows administrators to monitor incidents across devices, users, and integrated services in real-time, assess their severity, and take the necessary actions for resolution. By centralizing incident monitoring and management, Hexnode enables organizations to detect potential issues early, minimize risks, and ensure consistent operational security.

The Incidents tab is divided into three subtabs:

  • Critical – Displays the most severe incidents that require immediate attention.
  • Endpoints – Displays incidents associated with endpoints.
  • Users – Displays incidents associated with end users.

Each subtab includes a dashboard for quick insights and detailed categories for drilling down into specific issues.

Critical

Critical

The Critical subtab displays severe incidents that call for immediate attention and resolution to avoid security or compliance issues.

This subtab can be customized to display the incident types most relevant to you. Click the pen icon next to the Dashboard to open the customization window, where you can add incident categories you want to include, remove the ones you don’t, and rearrange their order to control which categories from the Critical incidents and other sections (Endpoints and Users) appear in the dashboard.

Manage incidents - Option to customize the critical subtab dashboard

Dashboard

A summary view showing critical incidents by Platform, Critical Incidents by User, Critical Incidents by Device, and an Incident Feed for quick monitoring.

Critical incidents dashboard showing options to manage incidents

The following are the available incident categories under the Critical subtab:

Apple Services

Flags issues with Apple Business/School Manager configurations, APNs certificate expiry, or VPP license errors that could disrupt Apple device management.

Android Enterprise

Displays integration-related failures, such as issues in syncing or managing Android Enterprise devices.

UEM License

Indicates problems with the Hexnode UEM licensing plan, such as expired or invalid licenses, which may affect feature availability.

Technician Sign-In

Tracks failed or unusual technician login attempts that may point to unauthorized access attempts.

Hexnode Agents

Lists incidents from configured agents like Active Directory and DAFS, helping identify sync errors or agent downtime.

Endpoints

Endpoints

The Endpoints subtab focuses on incidents that occur on managed devices. These include compliance violations, policy failures, abnormal memory usage, device ownership changes, issues related to cellular connectivity, etc. This subtab helps admins quickly identify compliance gaps and operational issues across endpoints.

Dashboard

Displays a summary of endpoint-specific incidents including Endpoint Incidents by Platform, Endpoint Incidents by User, Endpoint Incidents by Device, and Incident Feed.

Endpoint incidents dashboard showing options to manage incidents

The following are the available incident categories under the Endpoints subtab:

Endpoint Compliance

This incident section highlights security and compliance deviations on devices, helping admins quickly identify risky device states.

  • Rooted/Jailbroken devices – Detects devices that have been rooted or jailbroken, as these modifications bypass built-in security controls.
  • Geofence violations – Flags devices that move outside predefined geographical boundaries, which could signal loss or misuse.
  • Compliance policy violations – Identifies devices that fail to adhere to the compliance policies set by the administrator.

Command Failures

This incident section covers situations where Hexnode policies, certificate configurations or automation tasks fail to execute on devices, allowing admins to detect and address the issues promptly.

  • Policy – Reports when a policy fails to apply to a device, which may leave it non-compliant.
  • Certificates – Alerts admins when a device fails to install a required certificate, potentially blocking secure communications.
  • Automations – Lists automation tasks that could not be executed, preventing workflows from completing as intended.

High Usage Detected

This incident section shows devices exhibiting unusually high memory and CPU usage, which could indicate device performance related issues.

  • High memory usage – Detects devices where memory usage exceeds 90%.
  • High processor usage – Identifies devices with CPU usage above 90%.

Devices with Recent Owner Updates

This incident section shows changes in device ownership to ensure visibility and accountability for asset transfers.

  • Recent owner changes – Detects when ownership of a device is reassigned, ensuring visibility into asset transfers.
  • Recent owner change upon re-enrollment – Detects changes in device ownership that occur after re-enrollment.

Remote Access

This section highlights the incidents caused by misconfiguration that may affect the implementation of remote access on devices.

Remote access misconfiguration incidents originate from the device itself. They occur when the device has not been granted the necessary permissions for remote access, or when the Hexnode Remote Assist app is not installed.

Cellular

This section reports issues related to a device’s cellular connectivity, such as SIM removal or SIM changes.

Kiosk Exits

This section captures occurrences where devices exit kiosk mode, either by user action or administrative intervention.

  • Kiosk exit from device – Logs when a user manually exits kiosk mode.
  • Kiosk exit by admin – Logs admin-initiated kiosk exits.

Encryption

This incident section flags devices where encryption (BitLocker or FileVault) is enabled, helping admins stay aware of changes to device encryption status.

Disenrollments

This incident section shows devices that are removed from management or become inactive, enabling admins to monitor potential security risks.

  • Inactive devices – Identifies devices that have gone inactive.
  • Disenrollments by user – Logs cases where a user removes their device from management.
  • Disenrollments by admin – Logs admin-initiated disenrollments to track intentional device removals.

Battery Health

This incident section monitors devices reporting poor battery health, assisting admins in identifying potential hardware failures early.

Users

Users

The Users subtab captures incidents related to end-user activities. These incidents represent events that may indicate unusual, risky, or non-compliant behavior, such as multiple devices assigned to a single user, geofence violations, suspicious location reporting, or frequent password changes. This subtab helps admins monitor user behavior, detect anomalies, and take timely actions to maintain security and compliance.

Dashboard

Summarizes user-specific incidents with User Incidents by Platform, User Incidents by User, User Incidents by Device, and Incident Feed.

Users incidents dashboard showing options to manage incidents

The following are the available incident categories under the Users subtab:

Multi device users

Flags users with more than three devices assigned to them.

Geofence violators

Lists users whose devices consistently cross geofence boundaries, signaling possible misuse or non-compliance.

Location anomalies

Detects unusual user location reporting, which may suggest spoofing or suspicious activity.

Passwords at risk

Password modifications – Alerts when technicians modify local login credentials more than three times a week.

How to assign an incident to a technician?

Admins can assign incidents to technicians to ensure accountability and timely resolution. Assigning an incident means designating a specific technician responsible for investigating and resolving it, whether it involves troubleshooting a device, fixing a configuration issue, updating a license, or contacting the end user.

Steps to assign an incident to a technician:

  1. Navigate to the Incidents tab and open the relevant subtab where the incident is listed.
  2. Each section displays all incidents under that category. Locate the required incident and click Add assignee.
  3. From the drop-down menu, select the technician to whom you want to assign the incident.
  4. From the same window, you can also update the Status and Verdict of the incident.

Manage incidents by assigning a specific incident to a technician for resolution

Filtering incidents

The Filter option helps admins quickly narrow down incidents based on specific criteria, making it easier to focus on particular events.

You can filter incidents by:

  1. Time – Filter incidents based on their creation date. Options include All, Today, Yesterday, Last 7 Days, Last 30 Days, or Custom for a specific date range.
  2. Assignee – Filter incidents assigned to a particular technician by searching for their name.
  3. Severity – Select incidents based on automatically assigned severity levels: Critical, High, Medium, Low, or Info. Admins may manually adjust severity if needed.
  4. Status – Filter by current status of the incident: Open, In-Progress, or Resolved.
  5. Verdict – Filter incidents by their outcome, which reflects the final assessment or current state of the issue after the resolution by the assigned technician. Three options are available:
    1. Pending: The incident is still under investigation or awaiting resolution.
    2. False-Positive: The incident was flagged by the system but later confirmed as a non-issue.
    3. Fixed: The incident has been resolved successfully, and no further action is required.

Filter options available to manage incidents effectively

Viewing incident details and history

Each incident in the Incidents tab includes a detailed view that helps admins understand its origin, track its progress, and review all related actions. From this view, admins can analyze the incident timeline and maintain a complete record through comments and activity logs.

Clicking on an incident opens a detailed view with the following information:

  1. A Details section including occurrence time, incident ID, and a short description. These are automatically generated when the incident is detected.
  2. Options to assign a technician, update the severity, change the status, and set the verdict.
  3. A Comments section where you can add notes related to the incident task.
  4. Click the incident history button at the top-right corner to view a complete log of all activities for the incident task, including comments and status changes.

Manage incidents by viewing detailed information and history on the incident details page

The Incidents tab provides IT admins with actionable visibility into critical, endpoint, and user-level issues within Hexnode UEM. By reviewing incidents in detail and leveraging dashboards for quick overviews, admins can take timely actions to maintain compliance, mitigate risks, and secure the enterprise environment.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Incidents