Create Enrollment Profiles for Windows devices

What are enrollment profiles?

Enrollment Profiles for Windows PCs and tablets facilitate the process of enrolling them into Hexnode UEM. They enable IT administrators to define general enrollment settings, apply device configurations and set authentication modes, prior to device enrollment. These enrollment settings configured in the profile are applied on the device during its enrollment.

What enrollment settings can be configured using enrollment profiles?

With Enrollment Profiles, admins can configure the following settings to dictate what happens during enrollment:

• General settings – Configure whether a device already enrolled in another UEM solution should enter co-management upon enrollment. The installation of the Hexnode Service app and Hexnode Remote Assist app can also be configured under general settings.
• Authentication modes – Configure how users authenticate to verify their identity when downloading the enrollment profile from the Hexnode server during the enrollment process.
• Device configurations – Set parameters to help identify and manage enrolled devices within the Hexnode portal after enrollment.

Read on to explore the different configuration options available within Enrollment Profiles.

How to configure Windows enrollment profiles?

For configuring enrollment profile,

1. Log in to Hexnode UEM.
2. Navigate to Enroll > Platform-Specific > Windows > Windows PCs and Tablets.
3. Click on Enrollment Profiles.
4. Click on Create or select an existing enrollment profile to make edits to it.

The following settings are available to configure in an enrollment profile,

General Settings

• Profile name: Enter the name for the enrollment profile.
• Profile Description: Enter a description for the profile.
• Co-management: This setting determines whether a device which is already enrolled in another MDM is to be co-managed upon enrollment. Select Enabled to enable co-management for the device. Else, select Disabled.
• Install Hexnode Service app: When this setting is checked, the Hexnode Service app will be installed upon enrollment. If unchecked, the app will not be installed on the device.

Device Configurations

• Enrolled device name: Select the attribute that will be displayed as the device name on the portal, upon its enrollment. The following attributes are available:
  • Device model
  • Phone number
  • Device MAC address
  • Device serial number
  • Device manufacturer
  • Enrolled user username
  • Enrolled user domain name
  • Enrolled user principal name
  • Enrolled user email
  • Personalized device name
• Add to device groups: Select the device groups to which the device will be added.
• Department: Specify the department name to which the device will belong to.
• Asset tag: Specify the asset tag for the device.
• Device notes: Include any device-specific notes. You may modify the device notes in such a way it helps the device to be recognized easily.

User Authentication

Configure the authentication modes prior to enrolling the devices.

• Enforce Authentication: Select this option to enforce user authentication during enrollment. Enabling this option requires the users to authenticate themselves using their credentials in order to download the enrollment profile, on which the device will be assigned to the user. You can configure authentication via Enrollment Request or Self Enrollment.

  Select the types of users (AD/ Microsoft Entra ID/ Local/ Google/ Okta) to be enrolled through Enrollment Request or Self-Enrollment. This ensures that only those users integrated with the Hexnode console can authenticate with their respective credentials and successfully enroll their devices.

  Change the Ownership to Personal, Corporate, or Let the user choose.

• No Authentication: Select this option to enable users of a selected domain configured in the Hexnode portal to enroll themselves without any authentication.

  Choose the Domain to which the user belongs to. The domain can be the local domain or the domain of an identity provider (Google Workspace, Microsoft EntraID, etc.) configured in the Hexnode portal.

  Select a user to assign the device to and enter the password.

  Change the Ownership based on the device to either Personal or Corporate.

• Use Global Authentication: Select this option to apply the global authentication settings configured under Admin > Enrollment > Authentication Modes. The options configured under Enrollment > Authentication Modes will apply for the enrollment profile as well.

After configuring all the information in the enrollment profile, hit Save or Save And Invite. Selecting Save And Invite redirects you to a window where you can send the enrollment URL, along with the username and password of the assigned user device, via email or SMS. Users can then use these details to complete the enrollment. The enrollment profile can be downloaded on the device by entering the enrollment URL in a browser and authenticating if required.

Enrollment Profiles Overview

All the newly created and existing enrollment profiles can be viewed under Enroll > Platform-Specific > Windows > Enrollment Profiles.

A toggle button exists for each enrollment profile. The enrollment profile will be active only if the toggle button is turned on. If an enrollment profile is disabled, then all enrollments using the enrollment URL corresponding to that profile will be blocked and the user will no longer be able to download the enrollment profile and enroll their device. remain blocked.

By clicking on the ellipsis icon corresponding to each enrollment profile, you can find the following option,

• Clone: Click on this to create a copy of the enrollment profile.
• Invite Users: Send the enrollment details to users via email or SMS.