The absolute Guide to Unified Endpoint Management(UEM) in Enterprise

Imagine a life without any computing devices, be it laptops, PCs, mobiles or tablets. It is quite hard, isn’t it? Almost impossible. Now, think about work without any such devices. It is an even more impossible scenario, as the laptops and PCs have become THE office. It is precisely because we are entirely dependent on our work devices that the work from home scenario was not a total fiasco, and was even successful to a large extent. Gone are the days when the employees come to the office, log in to their bulky desktop PCs, and work all day without moving from their seats. Now, the enterprise is not so rigid. The employees and the devices are becoming more and more mobile. Understandably, the evolution of devices has also led to the evolution of device management, from MDM to EMM to UEM. How hard is it for someone new to learn Unified Endpoint Management? It is not so hard as you would think. Read through this guide to completely equip yourself with the basic knowledge of the what, how and why of the UEM in the enterprise, and maybe even start onboard a device or two with Hexnode UEM free trial for a hands-on learning experience.

What is a UEM?

Devising a Device Management Strategy

Step 1: Plan, plan, and plan

What is the use-case for your organization?

Example Use-Case 1: Restricting the users from using the work devices for non-work purposes

The challenge: Sam Dasakis, IT manager at Greek Orthodox Community at NSW, was worried about the nursing staff members using the mobile devices excessively for non-work purposes. The situation felt unmanageable, and he started looking for a UEM suited to his needs.

The solution: After trying different UEM solutions, he settled on Hexnode to lock down the devices into a work-mode. The users could access only the work applications, and were not able to use the mobile devices for any other purposes. The remote control feature helped Sam remotely troubleshoot the managed devices from a single web console.

Read the complete case study here.

Example Use-Case 2: Managing work devices with multiple operating systems

An employee using a managed laptop

The challenge: At Access Health CT, the organization had deployed Fire tablets, iPads, and MacBooks to their employees. Joshua Booth, IT Security Analyst, found it a challenge when the employees had to bring in their devices each time they needed to update apps or troubleshoot issues.

The solution: Different operating systems need different management capabilities, and Joshua was able to realize it all by using Hexnode UEM. Joshua was able to use the Kiosk mode to enhance employee productivity, app management to push out regular updates of the required apps remotely, and enabled him to remotely view, monitor, and control the managed devices.

Read the complete case study here.

How many devices are to be deployed?

What are the operating systems of the devices to be managed?

What are the security requirements for your organization?

Step 2: Structuring the policies and configurations

App Management

Remote installation/uninstallation

The admin can remotely install the apps from the Hexnode UEM web console. On configuring the apps as mandatory apps, the apps would be automatically installed on the managed device. The admin can manage store apps, enterprise apps, and web apps with Hexnode. The Hexnode admin can also push the app updates to the managed devices remotely.

Blacklist/Whitelist apps

Not all apps are required for work devices. Some are even directly detrimental to employee productivity. For example, the employee may start watching YouTube for a small break, and the break could extend into hours. The admin can just blacklist such applications so that the users are not able to access them. The admin can also whitelist the required applications so that the users are able to access and use only the whitelisted applications on the work device.

App Catalogs

App Catalogs are quite a fun feature. It allows the IT managers to avoid the hassle of deploying different sets of applications to different users. The admin can simply set up a customized app store (App Catalog) that contains all the apps required by the organization and the end-users can easily download the apps needed by them. This feature is supported in Android, iOS and macOS devices.

App configurations and permissions

Even before pushing an application to the devices, the admin can configure the app configurations for the managed apps in Android, iOS, and macOS devices. For iOS and macOS devices, the configurations are uploaded as XML files. For Android devices, the admin can configure the work app directly from the policy.

Web Clips for iOS

IOS devices support an additional app management capability. Web Clips are website URLs that can be seen just as another iOS app on the device. On tapping the Web Clip, it would take the user to the corresponding website URL. These Web Clips can be added and customized by the Hexnode admin.

Identity and Access Management

Identity and Access Management (IAM) is a key capability of UEM solutions. How to use a UEM solution for IAM?

Protection against data and identity thefts

The best method to prevent identity thefts and malicious attacks is to have a strong password. While this may sound like an old method, it works. Use the UEM solution to enforce strong password policies in the managed devices.

Active Directory/Azure AD integration for protected access

By integrating Hexnode UEM with Microsoft Active Directory (AD) or Azure AD, the admin can ensure protected access for user data.

Using certificates

Secure the managed devices by deploying certificates directly uploaded to the Hexnode UEM web console.

Containerization for corporate data

In personal devices, clear isolation of corporate apps and data from the personal apps and data is essential. It is important to choose a UEM solution that has BYOD support.

VPN for securing networks

The admin can remotely setup a VPN for securing the networks and the flow of data.

Email and Exchange ActiveSync configurations

Wildcards (%name%, %email%, %password%, etc.) can be used to configure the email and ActiveSync accounts remotely for the managed devices for an admin using Hexnode UEM.

Device Restrictions

Security Management

Enforce strong password rules with Hexnode

The security of the managed endpoints is a prime matter of concern for an IT Manager. Here are some ways you can secure the endpoints using a UEM solution:

Password security

As mentioned previously, a strong password is a foolproof method of securing the device. Using the UEM, it is recommended that the admin devise and enforce strong password policies for the work devices.

OS and software updates

The majority of the updates contain bug fixes and security updates. As an end-user myself, I have the tendency to indefinitely postpone the updates while working. This dependence on the end-user for installing the updates can be overcome with the help of a UEM. The admin can schedule and enforce the software updates on the managed devices, all done remotely from a single pane.

Compliance rules

Compliance could mean different things for different companies, or even different departments. With the UEM solution, the admin should be able to create custom compliance rules. The rules can be created to include checking whether the devices are active, if they are password compliant and application compliant, if they are jailbroken or not, and more. Just creating the set of rules is not enough. The UEM should also enforce it. For instance, with Hexnode, the admin can set up regular compliance checks and get instantly notified if the devices go out of compliance. The admin can then choose to take action to get the errant devices compliant.

Encryption management

Security has almost become synonymous with encryption these days. Even the good old HTTP is now HTTPS, to secure our web browsing. It would be really amiss of us if we fail to encrypt our work devices that contain sensitive corporate data. The IT managers can enforce device encryption on Windows 10 and macOS devices with Hexnode UEM. For new iOS and Android device models, the encryption is turned on by default.

BitLocker: It is the full disk encryption tool for Windows devices. Hexnode UEM can enforce BitLocker encryption for protecting the entire volume against unauthorized access.

FileVault: It is the full disk encryption program for macOS devices running Mac OSX 3.0 and higher. On encrypting the Mac using FileVault, the data in the device cannot be read without the device password or the recovery key. The admin can enforce FileVault encryption in the macOS devices by pushing a configured policy.

Custom scripts execution

A script is a set of commands that are used to automate and execute time-consuming tasks in the endpoints without any manual intervention. Hexnode UEM supports executing custom scripts in both macOS and Windows 10 devices.

Executing custom scripts for Mac

The custom scripts can be executed in all the managed macOS endpoints remotely from the Hexnode UEM web console. Executing the script is as simple as selecting all the endpoints and giving the “Execute Custom Script” action.

Executing custom scripts for Windows

The admin can create the custom Powershell scripts or batch files. These created scripts can then be uploaded to Hexnode Files in the web console. The admin can then select the target Windows endpoints and execute the script in bulk.

Firewall setup

A Firewall acts as a security barrier between the internal and external networks of the organization. The IT Manager can configure the Firewall settings for macOS endpoints using Hexnode UEM. The admin can choose to block or allow all incoming connections or the incoming connections to specific applications.


Geofencing is a location-based UEM restriction. Using this feature, the admin can create virtual perimeters around a geographical region. These geofences help the admin to restrict the availability of corporate resources and define security policies for the devices entering and exiting these virtual geographical regions.

Remote lock/wipe

Security management would be incomplete if there are no plans in place to take care of the lost/stolen devices. Hexnode UEM enables the admin to remotely lock or wipe the missing device. The remote lock feature comes with a custom message that the admin can use to communicate with the person who finds the missing device.

Network Management

Managing networks with Hexnode UEM

The two core aspects of network management are network security management and network usage management.

Tips for Network Security Management using UEM

  • Configure the Enterprise Wi-Fi in a policy and push it to the endpoints. The devices would be automatically connected to the Wi-Fi without being dependent on the users to input the Wi-Fi password.
  • Hexnode UEM allows the admin to configure VPN for iOS, Android and macOS endpoints. A VPN does a great job in securing the network and monitoring the flow of data through it.
  • Set up Web Content Filtering for iOS, Android and macOS endpoints with Hexnode UEM. This would prevent the users from accessing potentially dangerous or malicious websites.

Tips for Network Usage Management using UEM

  • For an enrolled Android endpoint, the admin can monitor how the Wi-Fi and mobile data is being used. With Hexnode, you can track daily and monthly data usage and setup usage limits. The network connectivity would be restricted for the end-user once the limits are reached.
  • Manage and control the cellular data usage for managed apps while the iOS mobile endpoints are roaming. The device may accrue higher charges while roaming, and it is recommended to turn the cellular data off while roaming if the extra charges are a concern.

Kiosk Management

Tablet locked into Kiosk mode with HexnodeThe managed iOS, Android, Windows and tvOS devices have a very useful feature. These devices can be locked down into a Kiosk Mode. Kiosk Mode means that the endpoint is locked down into the functionalities and applications determined by the admin, and prevents the users from interacting with any other apps or device settings.

Single App Mode

Single App Mode restricts the user access to a single application, enabling a locked-down experience in the device. Hexnode UEM can be used to configure Single App Mode in Android, iOS, Windows and tvOS endpoints. We have all interacted with single-app Kiosk devices at one time or the other, the most common example being self-service ticketing Kiosks.

Multi App Mode

What if the admin wants the user to have access to a set of work apps? Multi App mode allows you to do exactly that. The device is locked down into a set of applications and device settings specified by the IT manager, blocking the user access to all other apps and settings of the endpoint. Hexnode UEM supports Multi App Mode in Android, iOS and Windows devices.

Web App Mode

The Web App Kiosk Mode allows the end-users to access only the whitelisted URLs that appear as app icons on the Android or iOS endpoint. Using Hexnode Kiosk Browser helps the admin to ensure additional security while the user navigates the Web Apps.

Digital Signage Display

We have all seen digital signage displays in shops, buildings, malls and airports playing advertisement videos or just displaying images. Hexnode UEM supports Digital Signage Display for all endpoints running Android 4.4 and above.

File and content management


Hexnode UEM Integrations

Step 3: From plan to action

Defining roles

  • Admin: Admins have complete access to every feature and function in the Hexnode Web Portal.
  • Reports Manager: Just as the name suggests, a Reports Manager would have access only to the reports generated and the dashboard.
  • Apps and Reports Manager: An Apps and Reports manager has access to everything that the Reports Manager has. Additionally, they would also have access to the Apps tab, where they can add, delete or update applications in the Web console.

Enrolling the devices

Get started on your UEM journey now


Step 4: After deployment

Reports and Auditing

Compliance checks

How to choose a UEM for your organization?

The future of Endpoint Management

Hexnode MDM is an award winning Enterprise Mobility Management vendor which helps businesses to secure and manage BYOD, COPE, apps and content.