Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Security Posture & Compliance

Category filter

The Hardware-Verified Trust Engine: Engineering Device Integrity in Hexnode UEM

Jump To

This technical framework defines how Hexnode UEM transitions from standard software-based status checks to Hardware-Rooted Integrity. By shifting the “Source of Truth” from the potentially compromised Operating System to dedicated security silicon, Hexnode ensures that a device’s security posture is cryptographically proven, not just reported.

The Architectural Concept: From “Setting-Based” to “Integrity-Backed” Trust

Traditional MDM compliance relies on the Operating System to truthfully answer queries like “Is your firewall enabled?” However, a compromised kernel or sophisticated malware can spoof these responses.

Hexnode UEM evolves this architecture by implementing Verified Posture. Instead of asking the OS, Hexnode leverages platform-specific attestation frameworks to request a signed statement from the device’s hardware (TPM or Secure Enclave). This ensures the bootloader is locked, the kernel is untampered, and the encryption keys are protected by silicon. If the hardware-backed “handshake” fails, the device is instantly isolated, regardless of what the OS software reports.

Technical Handshake & Verification Flow

The interaction follows a strict cryptographic sequence to ensure the “Health Blob” cannot be intercepted or altered.

  1. Challenge: The Hexnode Agent initiates a health audit based on a scheduled sync or a policy trigger.
  2. Attestation: The device’s security chip (TPM/Secure Enclave) generates a “Quote” containing measurements of the boot state and firmware.
  3. Validation: This signed data is passed to the platform’s cloud-based verification service (Microsoft, Apple, or Google).
  4. Enforcement: Hexnode receives the validated “Trust Score.” If the signature is invalid or the state is “Untrusted,” the device is flagged as Non-Compliant.

Hexnode Integrity Variable Matrix

These specific parameters are monitored by Hexnode to differentiate between a “Managed” device and a “Trusted” device.

Variable Platform Documented Hexnode Feature
TPM Version Windows Reports the presence and version of the TPM chip in Device Reports.
FileVault / Encryption macOS / iOS Verifies encryption status via the Apple MDM framework.
Root/Jailbreak Detection Android / iOS Specifically identifies if the OS kernel has been modified.

Execution Logic: The Hardware Gate

  • SENSE: During every check-in, Hexnode pulls the Compliance Status which, for supported devices, is informed by these hardware-backed signals.
  • THINK: If a device fails the integrity check (e.g., an unlocked bootloader on an Android device or a disabled TPM on Windows), the logic engine moves it to a “Critical” state.
  • ACT: Hexnode automatically executes remediation:
    • Immediate Wipe: Deletes corporate accounts and managed apps.
    • Access Revocation: Severing VPN, Wi-Fi, and Email profiles.
    • Admin Alert: Notifying the Security Operations Center (SOC) of a potential breach.

    Failure Modes & Remediation

    Error Meaning Resolution Path
    Non-Compliant (Security) Secure Boot is off or BitLocker is disabled. Re-enable the required security feature via Hexnode Policy.
    Integrity Check Fail Android device failed integrity checks Check for custom ROMs or rooted software; disenroll if unsafe.
    Sync Timeout The device hasn’t reported health in the set interval. Ensure the Hexnode Agent has background data permissions.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework