Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Security Posture & Compliance

Category filter

Setting Up Multi-Factor Authentication (MFA) for Hexnode Portal Access

Jump To

Overview

In a Unified Endpoint Management (UEM) environment, the administration portal is the “keys to the kingdom.” Enabling Multi-Factor Authentication (MFA)—also referred to as Two-Step Verification—is the single most effective way to prevent unauthorized access to your organization’s device fleet. Hexnode supports multiple secondary verification factors to ensure that only authenticated technicians can modify policies or execute remote commands.

Phase 1: Prerequisites for MFA Methods

Hexnode supports three primary verification channels. Depending on your choice, ensure the following requirements are met:

  • Authenticator App (TOTP): Technicians must have Google Authenticator or Microsoft Authenticator installed on their mobile devices. (Highly Recommended).
  • Email OTP: The portal will use the registered business email of the technician.
  • SMS OTP: Requires configuring SMS Settings on your portal (under Admin > SMS Settings) to enable technician login using OTP via SMS.

Phase 2: Enabling MFA for Technicians

MFA is managed at the technician level, allowing for granular security controls based on user roles.

  1. Log in to your Hexnode UEM Portal as a Super Admin/Admin.
  2. Navigate to Admin > Technicians and Roles.
  3. To enable MFA for an existing technician, click the More icon (…) next to their name and select Edit Technician.

    4. Screenshot of the Hexnode UEM console showing the Admin tab. The 'Technicians and Roles' section is selected from the left-hand menu. The 'Edit Technician' window is open (accessed via the More icon next to a technician's name), with the screen scrolled down to the Two Factor Authentication section to enable MFA for Hexnode UEM portal.

  4. Scroll down to the Two Factor Authentication section.
  5. Select your preferred Verification Mode:
    1. Authenticator App
    2. Send Verification Code via Email
    3. Send Verification Code via Text Message
  6. Click Save.
Note:

The moment Two-Factor Authentication is enabled, modified, or a username/email is changed, the technician will be forcefully logged out of their active session immediately and must re-authenticate.

Phase 3: The Login Experience

Once enabled, the technician will be prompted to verify their identity during their next login attempt.

For Authenticator App:

  1. The technician enters their standard credentials (username/password) or SSO credentials.
  2. A QR Code will be displayed on the login screen.
  3. The technician scans the QR code using their authenticator app.
  4. Enter the 6-digit verification code generated by the app on the portal to successfully complete the setup.

For Email/SMS OTP:

  • Upon entering credentials, a code is automatically dispatched to the technician’s registered email or mobile number.
  • Strict Security Limits: The verification code sent is only valid for 3 minutes. If the 3 minutes expire, or if the code is entered incorrectly three times, the OTP is invalidated, and a new verification code must be requested.

Phase 4: Identity Provider (IdP) Integration for SSO MFA

If your organization uses Microsoft Entra ID, Google Workspace, or Okta, you can offload MFA management entirely to your Identity Provider.

  1. Navigate to Admin > Logon Restrictions.

    2. Screenshot of the Hexnode UEM console showing the Admin tab. The 'Logon Restrictions' section is selected from the left-hand menu, displaying configuration options to manage technician login security and complement MFA for Hexnode UEM portal.

  2. Scroll to Global SSO Login Settings.
  3. Under Allowed SSO logins, select the providers (e.g., Microsoft, Google, or Okta) that technicians are permitted to use.

By enforcing MFA at the IdP level, technicians will be challenged by your corporate security policies before they are redirected to the Hexnode portal.

Security Best Practices

Best Practice Recommendation
Preferred Method Use Authenticator Apps (TOTP) over SMS/Email to mitigate “SIM swapping” or email hijacking risks.
Global Enforcement Ensure all technicians, especially those with Super Admin or Admin roles, have MFA enabled.
Session Management Configure Logout Automatically on a per-technician basis under their specific profile details (Admin > Technicians and Roles > Edit Technician). Additionally, note that Hexnode automatically forces a logout if a login to the same account is attempted from multiple browsers/devices concurrently.
Emergency Access Ensure more than one Super Admin exists with MFA enabled on different devices to avoid being locked out of the portal.

Troubleshooting

  • Code Not Received (SMS/Email): Check the Admin > SMS Settings logs to ensure the gateway is active, or check spam folders.
  • Invalid App Code: Ensure the time/date settings on the technician’s mobile device are set to Automatic. TOTP codes are time-sensitive and will fail if the device clock is out of sync.
  • Lost Device (Reconfiguring Authenticator): The Admin technician can navigate to their profile settings under Two Factor Authentication and simply click the Reconfigure Authenticator app button. This will invalidate the old device and generate a new QR Code on the screen.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework