Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Provisioning

Category filter

Enterprise Signaling Architecture: The Hexnode UEM Triple-Channel Engine

Jump To

Orchestrating Real-Time Command Delivery at Scale

1. Executive Summary: The “Sub-Second” Imperative

At an enterprise scale of 500,000 devices, reliance on a single communication pathway creates a critical point of failure. If an organization relies solely on standard OS push services (Apple APNs or Google FCM), a regional ISP outage or a strict firewall can isolate thousands of devices, leaving them vulnerable to security threats and unmanageable during crises.

This document details the Hexnode Triple-Channel Engine—a redundant, multi-path control plane designed to ensure management command (e.g., “Wipe Device”, “App Install Applications”) reach the hardware in sub-seconds, regardless of network conditions.

2. Logical Architecture: The Signaling Nerve Center

The Triple-Channel Engine operates as a tiered priority system, decoupling the intent of a command from its delivery method. When an administrator triggers an action, the engine analyzes the device’s real-time socket health and selects the optimal path from three distinct channels:

  • Primary (The Live Wire): A persistent, bidirectional MQTT socket (Hexnode Proprietary) for instant execution.
  • Secondary (The Wake-Up): OS-level Platform Push (APNs, FCM, WNS) to wake dormant devices.
  • Tertiary (The Safety Net): HTTPS Polling for restricted, or proxy-heavy environments.

3. Channel 1: Hexnode MQTT (“The Live Wire”)

  • Protocol: MQTT v5.0 over TLS 1.3
  • Ports: TCP 1883 (Standard) / 8883 (Secure)

The MQTT channel is the primary driver of Hexnode’s speed. Unlike legacy MDM solutions that wait for a device to “check in,” Hexnode utilizes a lightweight, persistent TCP connection directly between the Hexnode Agent on the device and the Hexnode Cloud.

3.1 Packet Efficiency & Serialization

To manage bandwidth across 500,000 cellular connections, the signaling layer is highly optimized.

  • Payload Strategy: Instead of sending full configuration files over the signaling channel, Hexnode sends tiny “Intent Packets.”
  • Bandwidth Impact: A “Lock Device” command is reduced to < 400 bytes. This ensures successful delivery even on congested 2G/EDGE networks or high-latency VSAT links.

3.2 Resilience in Restrictive Geographies

A critical advantage of this proprietary channel is its independence from Big Tech infrastructure.

  • The “Great Firewall” Scenario: In regions where Google Services (FCM) are blocked (e.g., China), standard Android management fails. Hexnode’s MQTT channel (Port 8883) functions independently, ensuring global command delivery without requiring a VPN.

4. Channel 2: Native Push Services (“The Wake-Up Call”)

  • Services: Apple APNs, Google FCM, Windows WNS
  • Ports: TCP 5223 (APNs), 5228-5230 (FCM), 443 (WNS)

In modern mobile OS architectures, background apps are aggressively “killed” to save battery. If the Hexnode Agent is asleep, the MQTT socket may close.

  • The “Shadow” Signal: Hexnode uses the Platform Push purely as a trigger, not the payload transport.
  • The Workflow:
    • Hexnode Cloud sends a high-priority “Wake Up” token via APNs/FCM.
    • The OS receives the packet in the system background.
    • The OS wakes the Hexnode UEM App for a limited processing window.
    • The App immediately “seizes” the network interface and reconnects Channel 1 (MQTT) to download the actual command instructions.

5. Channel 3: Agent Ping & Polling (“The Heartbeat”)

  • Protocol: HTTPS (TLS 1.2+)
  • Port: TCP 443

This is the “Fail-Safe” lane. If Ports 8883 (MQTT) and 5223 (APNs) are blocked by a strict corporate firewall, the device falls back to standard web traffic.

  • Periodic Sync: The Hexnode Agent performs a “Periodic Sync” (configurable from 15 minutes to 24 hours).
  • The Pull Mechanism: The device initiates an outbound GET /v1/sync request. Because this looks like standard web browsing traffic, it successfully traverses SSL-Inspecting Proxies (e.g., Zscaler, BlueCoat) and authenticated gateways (NTLM/Kerberos) where other protocols fail.

6. Technical Comparison: Why Triple-Channel Wins

Metric Legacy MDM (Polling Only) Hexnode Triple-Channel
Command Latency 15 min – 4 hours 1.0 Second (Real-Time)
Reliability Fails if Push is throttled 99.99% (Redundant paths)
Global Reach Fails in China (No Google) Works Globally (Proprietary MQTT)
Battery Impact High (Frequent radio wake-ups) Optimized
Firewall Traversal Blocked easily Proxy-Aware (HTTPS Fallback)

7. Implementation Checklist for Network Engineers

To enable the Triple-Channel Engine, the following “Allowlist” configurations are recommended for your perimeter firewalls:

  1. Primary (MQTT): Allow Outbound TCP 1883 (Non-SSL) and 8883 (SSL) to *.hexnode.com (or your dedicated portal URL).
    1. Critical: It is recommended to “Deep Packet Inspection” (DPI) does not terminate these long-lived TLS connections.
  2. Secondary (Push):
    1. Apple: Allow TCP 5223 to 17.0.0.0/8 (Apple Class A Block).
    2. Android: Allow TCP 5228, 5229, 5230 to fcm.googleapis.com.
    3. Windows: Allow TCP 443 to *.notify.windows.com.
  3. Tertiary (Sync): Allow TCP 443 to *.hexnode.com and downloads.hexnode.com for policy and app downloads.
  4. Timeout Config: Set Firewall TCP Idle Timeout to > 60 Minutes for Port 8883 to prevent “Silent Drops” of the MQTT heartbeat.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework