Category filter

Configuring Technicians and Roles in Hexnode

Hexnode UEM encompasses the basic to the most advanced device management functionalities under a single console to help administrators during their course of action. Just like how it takes on a different approach to device administration combined with user management, Hexnode also helps organizations distinctly manage the users on Hexnode who administer the devices. Device administrators operating on the Hexnode console are referred to as technicians, and you can have the console managed by multiple technicians.

The technician who signs up for the portal is the Super Admin, who can then create other technicians. As new technicians are created, they can also be assigned any roles based on their scope of operation. The role assigned to a technician determines the functionalities on the portal that they can access. Three roles are available by default – Admin, Reports Manager, or Apps and Reports Manager.

  • Admin: Admins have full privileges and access to all the features in the portal.
  • Reports Manager: Reports managers can access only the dashboard, Reports tab and the features there.
  • Apps and Reports Manager: Apps and Reports managers have access to the features in both the Apps and Reports tabs. They can also view the dashboard.

More roles can be defined depending on how the technicians should work with the Hexnode portal.

Create technicians in Hexnode UEM

To create a technician,

  1. On your Hexnode console, navigate to Admin > Technicians and Roles.
  2. Click on Add Technician.
  3. Under the Details section, you can configure the following account information and settings:
    Account Information
    1. Enter the first and last name of the technician.
    2. Enter the Username/Email of the technician. If you are enabling SSO (Single Sign-On) for the technician, the username should match the user’s email address.
    3. Enter the Phone number of the technician.
    4. Specify the name of the organization where the technician belongs.


    Single Sign On
    1. If required, enable SSO login via Google, Microsoft, or Okta for the technician. Technician sign-in with local credentials is enabled by default.
    2. Notes:
      • SSO login via Google, Microsoft, or Okta can only be enabled if the corresponding option is enabled in the Global SSO Login Settings.
        1. On your Hexnode UEM portal, head on to Admin > Technicians and Roles.
        2. Enable Google, Microsoft, or Okta under Global SSO Login Settings > Allowed SSO logins.
        3. Click on Save.
      • For technician SSO via Okta, the Okta domain that houses the technician should be integrated with Hexnode.


    CAPTCHA
    1. Verify with CAPTCHA after ___ failed login attempts: Choose the maximum failed login attempts for a technician, after which CAPTCHA will be enabled. It can take values between 1 and 10. By default, the set value is three.
    Note:


    CAPTCHA settings can also be applied globally to all the technicians within the portal in the Global CAPTCHA Settings.

    1. Navigate to Admin > Technicians and Roles.
    2. Under Global CAPTCHA Settings, provide the maximum failed login attempts after which CAPTCHA will be enabled. It can take values between 1 and 10.
    3. Click on Save.

    If CAPTCHA is configured both globally and individually (while creating the technician), the CAPTCHA trigger limit will be the least value among the global and individual CAPTCHA limits.


    Two Factor Authentication

    The second authentication factor for technician login into Hexnode can be a time-based email/SMS OTP or a verification code generated by a third-party authenticator app. For example, the technician can employ Microsoft Authenticator or Google Authenticator as the third-party app that provides a verification code for safe login. You can configure the two-factor authentication settings for a technician from the portal.

    1. Mandate Two Factor Authentication: Enabling this option would initiate login via a two-step verification process. The first step involves the technician signing in with a local or directory password. The second step is to enter a verification code sent to the technician or provided by third-party authenticator apps. This option is enabled by default.
    2. Send Verification Code via: Select Email or Text message as the method. The technician will receive the verification code for signing in based on it.
      Note:
      • The verification code sent to the email address, or phone number is valid for 3 minutes. After the 3 minutes, or if it is already used, a new verification code should be sent to enable login to the portal.
      • Ensure to configure SMS Settings on your portal to enable technician login using OTP via SMS.

    3. Ask this user to set up Third Party Authenticator: If enabled, the technician can only sign in to their portal by verifying the time-based code shown in the Microsoft Authenticator or Google Authenticator app. You can even log in via the recovery codes if you do not have access to the third-party app on the device. Recovery codes are obtained while setting up the third-party authenticator app. Note that a recovery code can only be used once to log in.
      Note:


      Suppose both the email/SMS verification code and third-party authenticator app are set up for a technician. In that case, they will be asked to enter the code generated by the authenticator app or one of the recovery codes generated while setting up the app and not the verification code sent as an email or text message. However, if you want to login via the time-based verification code sent as an email or text message, click on Try another way in the pop-up wizard shown during the technician authentication.

    4. Require code: Choose the period after which the two-factor authentication will be mandated for technician sign in. The available options are Every time logging in, Every 7 days, and Every 30 days.


    Logout Automatically
    1. Logout after a period of inactivity: If enabled, the technician will get logged out after the specified period of inactivity.
    2. Logout after: Set the time for the period of inactivity, after which the technicians will get logged out automatically. The available options are 30 min, 45 min, 60 min, 90 min, 2 hours, 4 hours, and 8 hours.

  4. Click Next.
  5. The role-based settings for the given technician can be configured in the Role sub-section.
    • Click on the Assign Role button. Three roles are available by default – Admin, Reports Manager, or Apps and Reports Manager.
    • You can also assign a custom role to a technician and define its scope. However, custom role technicians cannot access actions that impact critical modules like deletion of APNs, Android Enterprise configuration etc.
    • Click Assign.
  6. Click Save.

Setting up Technician Account

Creating a technician account will send an email invitation link to the given email ID. The link will automatically expire in a day or if it is used once. The technicians can activate the account by clicking on the Setup account in the email invitation.
set up a technician account from the invitation link
Next, the technician will be asked to set up a local password for the account or sign in with Google, Microsoft, or Okta (when SSO login is enabled).

Note:

  • Suppose the new technician tries to log in to the portal using Google, Microsoft or Okta authentication without setting up login via the email activation link. In that case, a message will be displayed asking them to set up signing in.
  • Click on Sign in with Okta to log in to your Hexnode account via Okta. You will be asked to enter your email. Enter the email and click on Submit; this will redirect you to the Okta sign-in page to authenticate your Okta credentials.

The next step is to enable two-factor authentication. To set up the authenticator app for 2FA,

  1. Install the Google Authenticator or Microsoft Authenticator app on your device.
  2. Open the authenticator app on your device and scan the QR code shown or enter the code displayed on the login page.
  3. Navigate to your Hexnode portal and log in with the local/SSO account credentials.
  4. Enter the verification code generated by the app on the portal for successful app setup.

Note:

  • Hexnode UEM restricts the technician to only log in on a single machine or browser at a time.
  • If a technician proceeds to log in to the Hexnode portal that is already logged in from a different browser or machine, the technician will be prompted to log in by terminating the currently active session.

Edit Technician

An admin or super admin can log in to their technician account to edit the settings or information for themselves or other technicians.

  1. Go to Admin > Technicians and Roles.
  2. Click on the more icon and select Edit Technician corresponding to the technician you want to edit.
  3. Click on Edit Information on the My Profile page.
  4. Under the Details sections, you may edit the following settings: Account Information, Single Sign On, CAPTCHA, Two Factor Authentication and Logout Automatically.
  5. Note:

    1. A technician editing its own Account Information details can add an image as the profile image. The supported file formats are jpeg, png, svg, bmp, and jps.
    2. An admin cannot change its Username/Email, organization name, Role, SSO login methods and the 2FA settings that are previously enabled. However, an admin can reconfigure the authenticator app by self-editing their details if their phone is lost or is changed.
    3. If the Username/Email is changed, the given technician will be immediately logged out. They will be asked to reconfigure the authenticator app as it is linked to the previous email.
    4. Suppose the login method for Single Sign On previously set up for the technician is disabled or allowed SSO logins are modified. In that case, the technician will need to use the local credentials to log in or set up SSO login again for the newly selected login option. An email with an SSO reset link will be automatically sent to the technician.
    5. You can reconfigure the authenticator app under the Two Factor Authentication settings by clicking on the Reconfigure Authenticator app. A technician who has lost their device, uninstalled the Authenticator app, or wants to reconfigure the authenticator app on another device, can edit these details to reconfigure the app on a new device. A new QR Code will be displayed on the screen, and the technician can scan this code to set up the authenticator app.

    Reconfiguring the Authenticator App for a technician

  6. On the Roles sub-tab, you can assign a different role to the technician. You may also define the scope if you are assigning a custom-created role. Learn more on custom technician roles.

For an Admin or Super Admin to resend the account activation link of another technician,

  1. Go to Admin > Technicians.
  2. Click on the more icon and select Resend account activation link corresponding to the required user.

It will resend the activation link to the technician’s email account. This option will not be available once the technician sets up their Hexnode account.

Reset Password

If an Admin or Super Admin wants to reset the password of another technician,

  1. Go to Admin > Technicians.
  2. Click on the more icon and select Reset Password corresponding to the technician whose password you want to reset.
  3. Click on Proceed.

A password reset link will be sent to the technician at the specified email ID. The email will expire in a day. The technician has to set up a new password using this link to sign in. The technician will be blocked from logging in to the portal until he uses the password reset link to set up a new password.

Note:


If a technician wants to reset their local password, use the Change Password option (Click on the user icon at the top-right corner of the portal and choose the option Change Password). The technician will be asked to enter the old password, provide a new password and verify it.

Reset SSO

A super admin and an admin can reset his own or other technician’s SSO accounts using this option.

  1. Go to Admin > Technicians.
  2. Click on the more icon and select Reset SSO corresponding to the required technician.
  3. A confirmation dialog box stating that an email will be sent to the technicians to reset the SSO account will be displayed. Click on Yes.
  4. Complete the user authentication to confirm the process.

Deactivate Technician

A technician can be deactivated without removing their account from the portal. Likewise, an Admin can deactivate the account of other technicians except for a Super Admin. To deactivate a technician:

  1. Go to Admin > Technicians and Roles.
  2. Among the list of technicians, disable the toggle button corresponding to the technician whose account is to be deactivated.
  3. Complete user authentication to confirm the deactivation process.
Note:

If the technician has a currently active session, he will receive a session expiry prompt once the account deactivation is initiated. Any further sign-in from the deactivated account raises an error message ‘User is inactive! Please contact your administrator’ on the login window.


A deactivated technician account can be activated by re-enabling the toggle button and completing the user authentication.

Delete Technician

If an admin or a super admin wants to delete a technician,

  1. Go to Admin > Technicians.
  2. Click on the more icon and select Delete Technician corresponding to the technician name.
  3. Click on Yes.
  4. Complete the user authentication and confirm the deletion process.
Note:


Suppose an SSO logged-in technician has disabled the pop-up notification for the Hexnode portal on the device browser, the Hexnode actions that enforce technician authentication cannot be completed.

Since the SSO logged-in technicians are redirected to the Google/Microsoft/Okta authentication page in a new tab for authentication, disabling pop-up notifications for the Hexnode portal will block the authentication. So, actions like device wipe, edit technician, etc., that require technician authentication cannot be completed.

Limiting the number of technicians as per the pricing plan

The number of technicians that can be configured depends on the pricing plan you have subscribed to.

For the Pro plan,

  • Two technicians are available by default.
  • The primary technician is Super Admin, and the other technician is Admin. No other technician roles are available.
  • More technicians can be purchased from the portal. They will be assigned the role of Admin.
  • The CAPTCHA limit for failed technician login is set to the default value 3.
  • Includes two-factor authentication for technician login.

For the Enterprise plan,

  • Three technicians are included in this pricing plan.
  • The primary technician is Super Admin. Other technicians, including the additional technicians purchased from the portal, can be assigned with any of the roles, Admin, Reports Manager or Apps and Reports Manager.
  • The CAPTCHA limit for failed technician login can be customized.
  • Includes two-factor authentication for technician login.

For the Ultimate plan,

  • There are four technicians included by default.
  • The primary technician is Super Admin. The other technicians, including the additional technicians purchased from the portal, can be assigned with any of the roles, Admin, Reports Manager or Apps and Reports Manager. Also, you could manage access to the various tabs on the Hexnode portal for a custom role assigned to a technician and define the access scope individually.
  • The CAPTCHA limit for failed technician logins can be customized.
  • Includes two-factor authentication for technician login.
  • Technician SSO login using Google, Microsoft and Okta is also included.

For the Ultra plan,

  • Five technicians are available by default.
  • The primary technician is Super Admin. The other technicians, including the additional technicians purchased from the portal, can be assigned with any of the roles, Admin, Reports Manager or Apps and Reports Manager. Additionally, technicians can be assigned custom roles. You may also set granular level permissions for sub-tabs within each tab for a custom role assigned to a technician and define access scope.
  • The CAPTCHA limit for failed technician logins can be customized.
  • Includes two-factor authentication for technician login.
  • Technician SSO login using Google, Microsoft and Okta is also included.

When the number of active technicians reaches the maximum limit allocated to each plan, you have to either deactivate or delete any active technicians or upgrade your pricing plan to add new technicians. You can also purchase additional technicians if and when required via the License tab in Admin. The cost for an additional technician is as follows:

  • Annual subscription – $324/year per technician
  • Monthly subscription – $30/month per technician
Note:

  • When you downgrade from a higher pricing plan to a lower one, not all technicians in the initial plan can be availed in the new plan unless the technician slots are additionally purchased. So, while downgrading the plan, additional technicians will get automatically added as the Add-ons on the subscription page. Therefore, you should either deactivate or delete the technicians from there if you do not wish to retain the additional technicians.
  • Only those technicians assigned the roles, Super Admin or Admin, can access the subscription page. The subscription page appears when you navigate to Admin > License > Subscribe to change the pricing plan.
  • Similarly, technicians except for the Super Admin and Admin cannot access the subscription page from the Billing option (that appears while clicking on the user icon displayed on the top-right of the portal).

  • Configurations