Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Security Posture & Compliance

Category filter

How to Automate Unified Device Password Management & LAPS?

Jump To

The Unified Device Password Management framework is an IT-centric security protocol designed to secure endpoint access and reduce the “ticket burden” associated with locked devices. Instead of relying on manual interventions, Hexnode UEM enforces strict passcode compliance across all platforms, manages local administrator credentials via LAPS, and allows IT administrators to remotely reset or clear passwords when users get locked out.

This framework ensures that devices remain secure, local admin accounts are not compromised by static passwords, and user access is quickly restored over-the-air.

Key Functional Pillars:

  • Cross-Platform Password Policies: Enforce password complexity, length, age, and history across iOS, Android, macOS, Windows, Linux, and ChromeOS devices.
  • LAPS (Local Administrator Password Solution): Automatically manages, randomizes, and rotates local administrator passwords on macOS and Windows devices, eliminating the risk of shared or static admin credentials.
  • Remote Credential Management: IT admins can remotely set, reset, or completely remove device passcodes (mobile) or local user passwords (desktop) from the Hexnode console without touching the device.
  • Enforced Compliance: If a user’s device lacks the required passcode or violates password rules, Hexnode can mark the device as non-compliant and restrict access to corporate resources.

Configuring Device Passwords & LAPS via Hexnode UEM

1. Overview

This document outlines the setup of Password Policies, LAPS configuration, and remote password recovery options within Hexnode UEM. This empowers IT teams to secure local device access and seamlessly recover locked-out user accounts.

2. Prerequisites

  • Enrolled Devices: Devices must be actively enrolled and communicating with the Hexnode UEM server.
  • OS Requirements: LAPS requires supported versions of Windows (Windows 10/11) and macOS. Remote password clearing on mobile may require devices to be Supervised (iOS) or in Device Owner mode (Android).
  • Hexnode Agent: The Hexnode Agent must be installed and up-to-date on desktop platforms for LAPS and local account password resets to function properly.

3. Configuration Steps (Hexnode UEM)

Step A: Enforce OS-Specific Password Policies

To ensure all users have a secure password or PIN on their devices:

  1. Navigate to Policies > New Policy > Create a fully custom policy.
  2. Select the target OS (e.g., Windows, macOS, iOS, Android, Linux, ChromeOS).
  3. Go to Passcode (or Password) > Configure.
  4. Define your security rules:
    1. Password Type: Alphanumeric, Numeric, etc.
    2. Minimum Length: (e.g., 8 characters).
    3. Password Age: Force users to change their password every X days.
    4. Auto-Lock: Set the idle time before the screen locks.
  5. Go to Policy Targets and assign this to your required Devices, Users, Groups, or Domains/OUs.

Step B: Configure LAPS (Windows & macOS)

To secure local administrator accounts from lateral movement attacks:

  1. Navigate to Policies > New Policy > Create a fully custom policy > [Windows or macOS] > LAPS > Basic/Advances LAPS policies.
  2. Enter the exact Administrator Account Name you wish to manage.
  3. Configure Password parameters (Length, requirement for symbols/numbers).
  4. Set the Password Rotation frequency (e.g., Rotate every 30 days).
  5. Save and assign the policy.

    Note: Admins can securely view the current LAPS password from the Device Summary page in the Hexnode console when temporary local admin access is needed.

Step C: Remote Password Recovery & Resets

When a user forgets their password, IT can resolve it via remote actions rather than a portal:

  1. Navigate to the Manage tab and click on the locked device.
  2. Click on the Actions drop-down menu.
  3. Choose the appropriate recovery action:
    1. Clear Password: Removes the passcode entirely (iOS/Android), allowing the user to swipe to unlock and set a new one.
    2. Change Local Account Password: Allows IT to input a new password for a specific local user account on Windows.
    3. Reset User Password: Generates a new password for a macOS local user.
    4. Rotate Local Admin Password: Forces an immediate rotation of the LAPS password.

4. Admin Workflow: Recovering a Locked-Out User

Step User / Admin Action System Logic
1 User contacts the Help Desk stating they forgot their device PIN/Password. Help Desk verifies user identity via standard internal protocols.
2 Admin locates the user’s device under Manage > Devices. Hexnode confirms the device is online and checking in.
3 Admin executes Clear Password (Mobile) or Change Local Account Password (Desktop). Hexnode pushes an MDM command or Agent instruction directly to the endpoint.
4 User accesses the device. Device unlocks. The Passcode Policy will immediately prompt the user to establish a new, compliant password.

5. Security Guardrails

  • Compliance Block: Configure Hexnode’s Compliance Policy to mark devices as “Non-Compliant” if the password policy is removed or bypassed. You can pair this with Dynamic Groups to automatically strip Wi-Fi or VPN profiles from non-compliant devices.
  • Audit Trail: All remote password resets, clear commands, and LAPS password views are logged. Admins should review these in Reports > Audit Reports > Audit History to ensure no unauthorized credential tampering has occurred.

6. Troubleshooting

  • Action Remains “Pending”: If a “Clear Password” or “Reset Password” action is stuck, the device is likely offline or experiencing network issues. Ensure the device is powered on and connected to Wi-Fi/Cellular.
  • LAPS Password Not Rotating: Verify that the Hexnode Agent is active on the device. Also, ensure the local admin account name spelled in the LAPS policy exactly matches the account name on the local machine.
  • Cannot Clear iOS Passcode: The “Clear Password” command for Apple devices requires the iPhone or iPad to be enrolled in Supervised Mode (typically via Apple Business Manager).
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework