Handle Multi-Region Device Deployments

Q: I manage infrastructure for subsidiaries across North America, Europe, and Asia. Do I need to cram all these disparate entities into one massive portal?

A: Not at all. If your regional entities have strict data isolation requirements, distinct corporate policies, or separate billing structures, you should leverage the Hexnode UEM MSP Portal. This framework enables Multi-tenant Management, allowing you to create and oversee multiple independent instances of Hexnode from a single console. With Universal Login integrated with MFA, your global admins gain secure, centralized control over all regional portals without cross-contaminating their environments.

Q: If my central IT is in the US, but I’m deploying devices in the UAE and South Africa, will policy syncing suffer from high latency?

A: No, Hexnode’s architecture is engineered to handle global latency. To ensure highly reliable and low-latency over-the-air communication, Hexnode utilizes localized push servers mapped to specific regions (such as push-eu.hexnode.com, push-uae.hexnode.com, and push-cpt.hexnode.com). Furthermore, Hexnode leverages Amazon CloudFront as a global CDN, meaning enterprise apps and static configurations are downloaded from edge locations closest to your users, drastically reducing deployment bottlenecks.

Q: Our network team is building a global firewall policy. What ports and domains must be allowlisted to ensure devices don’t drop off the map?

A: To guarantee uninterrupted device communication and enrollment across all regions, your firewalls must globally allow:

• TCP 443 (HTTPS): Critical for standard management and enrollment.
• TCP/UDP 53: Required for DNS resolution. Without this, devices cannot translate or reach Hexnode servers.
• Ports 1883 and 8883: Required for Hexnode’s MQTT real-time communication protocols.

Q: How do we physically deploy 10,000 devices across different continents without flying IT staff everywhere or touching every device?

A: You can completely eliminate the manual provisioning bottleneck by integrating Hexnode with native out-of-the-box (OOB) deployment programs. By utilizing Apple Business Manager (ABM), Android Enterprise, Samsung Knox, or Windows Autopilot, hardware can be drop-shipped directly from the distributor to your regional end-users. The moment the user powers on the device and connects to Wi-Fi, it automatically authenticates, enrolls into Hexnode, and pulls down the specific apps and security certificates required for their region.

Q: Can we restrict access to corporate cloud resources based on the specific regional office a user is sitting in?

A: Yes, you can accomplish this by integrating Hexnode with Identity Providers like Microsoft Entra ID (formerly Azure AD). First, set up Named Locations in Entra ID by defining the public IPv4/IPv6 ranges of your regional offices. Next, configure a Conditional Access Policy mapped to those specific network locations. If an employee tries to access sensitive resources from an untrusted regional IP, the policy will dynamically block access or enforce stricter multifactor authentication.

Q: What if a device requires entirely different security restrictions when it moves from our main HQ to a regional branch?

A: Instead of relying on helpdesk tickets for manual profile reassignment, you can automate this workflow using Geofencing:

1. Navigate to Admin > Geofencing and define your physical boundaries (you can trace a precise polygon around your building or set a circular radius).
2. Go to Manage > Device Groups and create two Dynamic Device Groups. Configure the location filter to Include the geofence for the “HQ” group, and Exclude the geofence for the “Field” group.
3. Apply your respective policies to these groups. When a device physically moves, Hexnode dynamically evaluates its GPS coordinates during scheduled syncs and automatically swaps the policies in real-time.

Q: We operate under strict data compliance rules. What happens if a high-security device is stolen or taken completely outside an authorized country?

A: You can build a self-enforcing “Lock-on-Exit” perimeter.

1. Create a Compliance Policy that marks a device as “Out of Compliance” the moment it moves out of your authorized Geofence.
2. Navigate to the Automate tab and create a new Automation triggered by Location Non-Compliance.
3. Set the resulting Security Action to Lock Device (which forces the device to the lock screen) or Enable Lost Mode (which strictly freezes the user out of the hardware). The system will execute this containment protocol automatically, securing the asset before a breach can occur.

Q: How do we prevent clever end-users from downloading GPS spoofing apps to fake their region and bypass our geofenced restrictions?

A: Hexnode provides strict controls to prevent location tampering, especially on Android devices. Navigate to your Android Restrictions policy, go to Basic > Allow Location Settings, and explicitly uncheck the Mock location option. Additionally, enabling the Force GPS to fetch location restriction guarantees that end-users cannot simply disable their location services to fly under the IT radar.

Q: How can my centralized IT operations effectively support end-users who are thousands of miles away and experiencing critical system errors?

A: Distance shouldn’t diminish your support capabilities. Hexnode’s Remote View and Control equips your helpdesk with real-time diagnostic access to distributed devices, allowing technicians to navigate the UI and remediate issues as if they were holding the tablet or laptop. For complex, fleet-wide interventions, administrators can utilize Hexnode’s remote capabilities to push custom system configurations or execute custom scripts directly over the air, ensuring uniform compliance no matter where the endpoint resides.