Category filter
Enterprise Guide to Migrating Workspace ONE to Hexnode
A comprehensive enterprise migration framework for transitioning from VMware Workspace ONE to Hexnode UEM.
This migration guide helps IT teams move devices, applications, policies, automation workflows, and compliance configurations from Workspace ONE to Hexnode UEM while minimizing operational disruption.
Why Organizations Are Migrating from Workspace ONE?
Many enterprises are reassessing their UEM strategy due to:
- Increasing platform complexity
- VMware ecosystem changes
- Licensing and infrastructure costs
- Administrative overhead
- Slow operational workflows
- Complex automation dependencies
- Consolidation of endpoint management tools
Organizations migrating to Hexnode UEM commonly seek:
- Simplified UEM administration
- Faster deployment workflows
- Unified multi-platform management
- Reduced infrastructure dependency
- Improved onboarding experience
- Easier policy management
- Lower operational costs
Migration Overview
Recommended Migration Phases:
- Environment Assessment
- Parallel Deployment
- Policy and Automation Mapping
- Device Migration
- Validation and Optimization
- Workspace ONE Decommissioning
Prerequisites
Before migration, ensure you have:
- Administrative access to Workspace ONE and Hexnode UEM
- Workspace ONE UEM inventory exports
- Application deployment inventory
- Smart Group structure documentation
- Compliance policy documentation
- Certificate and Tunnel configuration details
- Existing automation workflow documentation
- Script and sensor inventories
Phase 1 – Environment Assessment
The assessment phase identifies all Workspace ONE dependencies and configurations that must be recreated or redesigned in Hexnode UEM.
Export Device Inventory
Export all managed endpoint details from Workspace ONE.
Recommended Inventory Fields
| Category | Details |
|---|---|
| Device identity | Serial number, device ID |
| Ownership | Corporate or BYOD |
| Platform | Windows, macOS, Android, iOS |
| Enrollment type | Automated, manual, BYOD |
| Compliance state | Current device posture |
| Assigned user | Email and department |
Analyze Smart Group Architecture
Workspace ONE Smart Groups should be mapped to Hexnode Dynamic Groups.
Smart Groups → Dynamic Groups Mapping
| Workspace ONE Smart Groups | Hexnode Equivalent |
|---|---|
| Organization Group-based targeting | Dynamic Groups |
| Platform-based Smart Groups | Device criteria groups |
| Ownership-based groups | Ownership filters |
| Tag-based assignment | Tags and custom grouping |
Recommended Actions
- Remove duplicate Smart Groups
- Consolidate outdated assignment logic
- Simplify nested targeting structures
Many Workspace ONE environments accumulate legacy Smart Groups over time. Migration is a good opportunity to simplify assignment architecture.
Compliance and Restriction Audit
Review all compliance rules configured in Workspace ONE.
Validate:
- Password policies
- Device encryption
- Root/jailbreak detection
- OS version requirements
- Firewall enforcement
- Threat defense integrations
- Device inactivity rules
Recommended Outcome
Build a compliance equivalency matrix before migration.
| Workspace ONE Policy | Hexnode Equivalent | Notes |
|---|---|---|
| Compliance engine rules | Compliance policies | Validate remediation actions |
| Device restrictions | Policy restrictions | Review OS support parity |
Workspace ONE Tunnel Assessment
Workspace ONE Tunnel configurations require special attention during migration.
Review existing tunnel dependencies
- Per-app VPN
- Internal web applications
- Secure content access
- Reverse proxy configurations
- Certificate authentication workflows
Workspace ONE Tunnel Alternatives in Hexnode UEM
| Workspace ONE Component | Hexnode UEM Alternative |
|---|---|
| Workspace ONE Tunnel | Third-party VPN integrations |
| Per-app secure access | Managed VPN configurations |
| Secure internal app access | Identity-aware access controls |
| Proxy-based application access | VPN and gateway integrations |
Important Considerations
Migration planning should include:
- VPN vendor compatibility
- Certificate dependencies
- Authentication workflows
- Mobile application VPN behavior
- Split tunnel requirements
Freestyle Orchestrator Workflow Analysis
Workspace ONE Freestyle Orchestrator workflows must be documented before migration.
Identify Existing Automations
Review:
- Device onboarding workflows
- Compliance remediation
- Conditional deployment sequences
- Automated app installations
- Script execution chains
- Context-aware actions
Freestyle Orchestrator Equivalents in Hexnode UEM
Typical Workflow Replacements:
| Workspace ONE Freestyle | Hexnode UEM Approach |
|---|---|
| Automated deployment flows | Policy automation |
| Sequential app deployment | Staged deployment policies |
| Compliance remediation | Automated actions |
| Context-aware scripting | Dynamic policy assignments |
Recommended Strategy
Do not directly replicate complex workflows without optimization. Instead:
- Document business objectives
- Eliminate redundant automation
- Simplify deployment logic
- Rebuild only necessary workflows
Sensor and Script Migration Assessment
Workspace ONE Sensors and Scripts often contain critical operational logic.
Review existing components:
- Sensors: Custom compliance checks, device health monitoring, hardware inventory collection, custom attribute reporting.
- Scripts: PowerShell scripts, Shell scripts, macOS automation, login scripts, remediation scripts.
Sensor and Script Migration Strategy
Recommended Migration Workflow:
- Export all scripts and sensors
- Categorize by platform and business function
- Remove deprecated scripts
- Validate execution dependencies
- Rebuild required automation in Hexnode UEM
Many legacy scripts reference Workspace ONE-specific APIs or paths and may require redesign.
Phase 2 – Parallel Deployment
Deploy Hexnode alongside Workspace ONE before large-scale migration.
Coexistence Strategy
A phased coexistence model is recommended for enterprise deployments.
Common Deployment Models
| Strategy | Use Case |
|---|---|
| Pilot coexistence | Small testing groups |
| Department migration | Enterprise rollouts |
| Geographic rollout | Distributed organizations |
Identity Integration
Configure identity providers in Hexnode UEM.
Common integrations
Validate
- SSO functionality
- Group synchronization
- RBAC mappings
- User provisioning
Certificate and Token Planning
Review
- APNs certificates
- Android Enterprise tokens
- SCEP integrations
- PKI infrastructure
- VPN certificates
Certificate issues are one of the most common migration blockers.
Phase 3 – Migration Execution
This phase handles active device and workload migration.
Windows Device Migration
- Remove Workspace ONE enrollment dependencies
- Configure Windows enrollment in Hexnode UEM
- Reapply policies
- Redeploy applications
- Validate compliance reporting
Validate
- BitLocker reporting
- Device inventory
- VPN access
- Patch policies
Apple Device Migration
Migration Steps
- Reassign devices in Apple Business
- Remove Workspace ONE profiles
- Re-enroll in Hexnode UEM
- Reapply supervision policies
- Validate VPP applications
Android Enterprise Migration
Recommendation Steps
- Remove old work profile
- Re-enroll into Hexnode UEM
- Reassign Managed Google Play apps
- Apply compliance policies
Some enrollment modes may require factory reset.
App Catalog Migration
The Workspace ONE app catalog should be audited before migration.
Review Existing Applications
- Internal enterprise apps
- Win32 applications
- VPP applications
- Managed Google Play apps
- macOS PKG deployments
- SaaS application shortcuts
App Catalog Migration Strategy
Recommended Process:
- Export current application catalog
- Identify unused applications
- Validate installation methods
- Repackage legacy apps if needed
- Recreate deployment assignments
Recommended Validation
| Validation Area | Check |
|---|---|
| Silent installation | Successful deployment |
| Licensing | Available entitlements |
| Managed configurations | Proper app settings |
| VPN dependencies | Connectivity validation |
Phase 4 – Validation and Optimization
Compliance Validation
Validate:
- Encryption status
- Password enforcement
- Device restrictions
- OS compliance
- Threat detection.
Automation Validation
Review migrated workflows.
Verify:
- Script execution
- Automated remediation
- App deployment logic
- Dynamic assignments
- Device targeting
User Experience Testing
Validate:
- Login experience
- VPN connectivity
- Internal app access
- Self-service workflows
- Enrollment experience
Phase 5 – Workspace ONE Decommissioning
After migration validation, begin controlled Workspace ONE retirement.
Disable Legacy Policies
Gradually disable:
- Compliance rules
- Device restrictions
- Application deployments
- Legacy automations
Remove Tunnel Dependencies
Retire
- Tunnel configurations
- Reverse proxies
- Legacy VPN dependencies
- Old certificates
Archive Historical Reporting
Before decommissioning:
- Export audit logs
- Preserve compliance history
- Archive deployment reports
- Retain licensing documentation
Rollback Planning
A rollback strategy should exist before production rollout.
Recommended Rollback Options
| Migration Phase | Rollback Strategy |
|---|---|
| Pilot rollout | Re-enrollment in Workspace ONE |
| Department migration | Scoped rollback |
| Production deployment | Parallel coexistence recovery |
Downtime Expectations
| Platform | Typical User Impact |
|---|---|
| Windows | Low to medium |
| Apple devices | Low |
| Android Enterprise | Medium |
| BYOD | Medium |
Common User Impacts
- App reauthentication
- VPN reprovisioning
- Device restarts
- Compliance re-evaluation
Common Migration Failure Scenarios
Tunnel Connectivity Failure
- Cause: VPN or certificate mismatch after migration.
- Prevention: Validate authentication and VPN behavior during pilot testing.
Dynamic Group Misconfiguration
- Cause: Improper Smart Group conversion logic.
- Prevention: Test all assignment filters before production rollout.
Script Execution Failure
- Cause: Workspace ONE-specific script dependencies.
- Prevention: Validate all scripts in a controlled environment first.
App Deployment Issues
- Cause: Packaging incompatibilities or missing dependencies.
- Prevention: Test silent installation behavior during pilot rollout.
Risk Matrix
| Risk | Severity | Likelihood | Mitigation |
|---|---|---|---|
| VPN disruption | High | Medium | Pilot validation |
| Certificate expiration | High | Medium | Certificate audit |
| Group targeting errors | Medium | Medium | Assignment testing |
| Automation failures | Medium | High | Workflow redesign |
| User disruption | Medium | High | Staggered rollout |
Recommended Enterprise Migration Strategy
For large-scale deployments:
- Start with pilot users
- Simplify automation before migration
- Migrate by department or geography
- Maintain coexistence temporarily
- Validate security posture continuously
- Delay Workspace ONE shutdown until audit completion
