Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Security Posture & Compliance

Category filter

Network Fencing: Restricting Corporate App Use to Specific SSIDs

Jump To

Network Fencing is a security protocol that restricts the functionality of enterprise applications based on the Service Set Identifier (SSID) the device is currently connected to. This guide outlines the implementation of Network Fencing (SSID-based application restriction) within the Hexnode UEM ecosystem. By leveraging Dynamic Device Groups and Policy Association, administrators can automate app compliance based on the device’s connection state.

Implementation Logic: The Dynamic Evaluation Model

Hexnode UEM does not use a standalone “Network Fence” switch. Instead, it utilizes Dynamic Device Groups to continuously evaluate the Wi-Fi SSID attribute. When a device’s reported SSID deviates from the “Trusted” value, it triggers an automatic policy shift.

Enforcement Logic Table

Connection State SSID Condition Dynamic Group Membership Policy Action
Connected to Corporate Wi-Fi Matches Trusted SSID Excluded from Restricted Group Apps remain accessible
Connected to Guest/Home Wi-Fi Does not match Included in Restricted Group Blocklist Policy enforced
Cellular Data / No Wi-Fi SSID is Null/Mismatch Included in Restricted Group Blocklist Policy enforced

Configuration Workflow

Step 1: Define the Trusted Network (Wi-Fi Policy)

Ensure devices can seamlessly connect to the authorized network to avoid accidental lockouts.

  1. Navigate to Policies > New Policy.
  2. Select the platform.
  3. Go to Network > Wi-Fi and enter the SSID.
  4. Configure Security Type and Password/Certificate.
  5. Enable Auto-join to prioritize this connection.
  6. Save and Associate with your target devices.

Step 2: Create the Dynamic Device Group

  1. This group acts as the “trigger” for restrictions.
  2. Navigate to Manage > Device Groups > New Dynamic Device Group.
  3. Name the group (e.g., Non-Compliant Network Group).
  4. Under Criteria, set:
    1. Parameter: Wi-Fi SSID
    2. Condition: is not
    3. Value: [Corporate SSID]
  5. Save the group. Hexnode will now automatically populate this group with any device not on the trusted network.

Step 3: Configure App Restrictions (Blocklist Policy)

  1. Navigate to Policies > New Policy (e.g., Out-of-Office App Restriction).
  2. Go to App Management > Blocklisting/Allowlisting
  3. Select Blocklist and add the specific enterprise apps to be restricted.
  4. Go to Policy Targets and associate this policy only with the Dynamic Device Group created in Step 2.

Platform-Specific Considerations

  • Location Services: On Android and iOS, Hexnode requires Location Services to be “On” to report the connected SSID. Ensure the Hexnode for Work/Hexnode UEM app has “Always” location permissions
  • Hidden SSIDs: If your corporate network is hidden, ensure the Hidden Network checkbox is enabled in the Wi-Fi Policy (Step 1).
  • Sync Interval: Policy enforcement occurs during the device’s periodic sync with the Hexnode server. For immediate enforcement, administrators can trigger a Scan Device action from the Manage tab.

Monitoring & Compliance Audit

To track when devices enter or leave the restricted state:

  • Device Summary: Select a device in the Manage tab and check Action History to see when the Blocklist policy was applied/removed.
  • Reports: Run the Device Groups Report under Reports > Built in Reports > Data Usage > Device groups to see a history of Dynamic Group.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework