Category filter

Co-management of Windows devices

The configuration that enables concurrent management of devices running Windows 10 or later enrolled in other UEM solutions from Hexnode is called Co-management. A device enrolled in some other UEM/MDM software cannot be enrolled in Hexnode, yet it can be co-managed to obtain the device details or perform basic actions from Hexnode. Therefore, such devices are provided with conditional access to the device management functionalities supported by Hexnode. When a Windows device (fully enrolled with another UEM) has the Hexnode UEM app installed and is co-managed by Hexnode, it unleashes the benefits of both the UEMs. Moreover, co-management is one of the primary ways to streamline migration to Hexnode from other UEM vendors.

Note:

  • Co-management is supported on:
    • Windows 10 v1803+
    • Windows 10 v1703 to Windows 10 v1709 (if .NET Framework v4.7.1+ is installed on the device)
    • Windows 11

Co-managing devices in Hexnode

Co-management is a different enrollment technique where two management authorities co-exist on a single device. Once enrollment is initiated on a Windows device via the Hexnode Installer app, the Hexnode Installer checks whether the device is already enrolled with another UEM vendor. If it detects that a third-party UEM service is also managing the device and co-management is enabled on the Hexnode portal, the user can determine whether the device should be co-managed. Then, based on the enrollment settings configured on the portal, the user can continue the enrollment procedure.

Enable co-management from the portal

You can unlock co-management on Windows devices by configuring specific enrollment settings from the Admin tab.

  1. Log in to the Hexnode UEM console.
  2. Navigate to Admin > Enrollment > Co-managing Windows Devices.
  3. Click on the Enabled button.

Basic Enrollment settings

The procedure for co-managing Windows 10 and Windows 11 PCs and tablets is quite similar to enrollment. You can either opt for Open Enrollment or Authenticated Enrollment.

Open Enrollment

Open enrollment is a quick enrollment technique where the user can enroll the devices without any enrollment credentials.

  1. Log in to the Hexnode UEM portal.
  2. Navigate to Enroll > Platform-Specific > Windows > Co-management.
  3. Click on Switch to Open Enrollment. You may omit this step if open enrollment is already enabled.
  4. Under Open Enrollment,
    • Default User – Choose the default user to assign the device. Here, you may either create a new user or select an existing user.
    • Ownership – Choose the ownership as Corporate or Personal.
  5. Click Next.

Authenticated Enrollment

Authenticated enrollment mandates user authentication for device enrollment. This option is preferred if you want to authenticate the user with designated user credentials.

  1. Log in to the Hexnode UEM portal.
  2. Navigate to Enroll > Platform-Specific > Windows > Co-management.
  3. Click on Switch to Authenticated Enrollment. You may omit this step if authenticated enrollment is already enabled.
  4. Under Authenticated Enrollment, choose how the user should authenticate during enrollment. Select the types of users (AD/ Microsoft Entra ID/ Local/ Google/ Okta) who can authenticate the enrollment.
  5. Select the ownership. Choose either Personal or Corporate.
  6. Click Next.
  7. On the next page, determine how the enrollment request should be sent to the user. You can choose Email/SMS.
  8. Choose the user domain.
  9. Select the user.
  10. Click Send. It sends the enrollment request to the user.

Enrollment instructions for the user

This section describes how the user can initiate co-management from the device.

  1. Open the web browser on the device
  2. Enter the enrollment URL.
  3. Click on ‘Download’ to download the Hexnode Installer app.
  4. Go to the download location and open the file to install the app on your device.
  5. On the app, tap ‘Agree and Enroll’ after reading the EULA agreement.
  6. Click on Proceed to co-manage the device.
  7. In the Authentication window, enter the authentication credentials (If Authenticated Enrollment is chosen).
  8. Follow further instructions to install the agent and start co-management of your Windows device.

A co-managed device shows an Enrolled (Limited) status next to the Enrollment status (under Device Summary > Enrollment details). Moreover, you can fetch only a limited number of device details from the portal. The details fetched for a co-managed device are confined to the following sub-tabs, Device Summary, Device Info, Applications, Device Groups, and Action History.

enroll devices with limited device management capabilities

Executing remote actions on co-managed devices

You can perform the following remote actions on a co-managed Windows device:

Another operation that can be performed on a co-managed device is Remote View. A remote view session can be initiated on a device only if the Remote Assist app is installed. As the administrator starts a live session, this app prompts the user to grant the remote view session permission. Once the user accepts the request, the administrator can preview the device screen from the UEM console.

Exceptions:

  • Co-management fails on the endpoints in the following instances.

    • If co-management for Windows devices is disabled in the Admin tab.
    • If the device is currently enrolled in another Hexnode portal.
  • If the device is already enrolled in Hexnode, you will have to disenroll the device and rerun the Hexnode Installer app to proceed with co-management.

Fully enrolling a Co-Managed device

Device management requirements for an organization grow over time. If your current MDM is missing out on desired functionalities, or you want to unleash additional features of Hexnode on co-managed devices, you can fully enroll them in Hexnode. A co-managed device can be fully enrolled by removing the existing UEM vendor from the device and enrolling it in Hexnode once again.

Removing existing MDM

  • Open Settings on the device.
  • Navigate to Accounts > Access work or school.
  • Choose the account corresponding to the current MDM vendor.
  • Click Disconnect.

Re-enrolling the device

You can re-initiate enrollment on a co-managed device using any of the techniques.

While enrolling, if the authentication mode is:

  • Open Enrollment – The device is fully enrolled and is assigned to its current user. Later, the administrator may change the device owner from the portal.
  • Authenticated Enrollment – The device is fully enrolled and is assigned to the existing owner (user), given the same user authenticates during enrollment. If the authenticated user is not the same as the device owner, the enrollment fails.
  • Enrolling Devices
  • Managing Windows Devices