Set up Hexnode Access to allow login to Windows using IdPs

This document helps you configure the Hexnode Access policy that allows to login to Windows using IdPs.

Cloud-based credentials are commonly used to sign up or log in to websites and apps, eliminating the need to create new login credentials each time. While this approach is widely adopted in organizations for work-related apps and websites, it would be highly beneficial if users could also use these same cloud credentials to log in to their work devices. This is where Hexnode Access comes into play. Hexnode Access for Windows simplifies logging into Windows devices by integrating with IdPs like Microsoft Entra ID and Google Workspace. It lets organizations get started with access management and allows employees to login to Windows using their cloud IdP credentials.

Not only does this integration of Hexnode with IdPs streamline the device login process, but it also offers a range of customization options for the login window. This customization includes providing users with access to help links related to the sign-in procedures and enabling network access, all directly from the login window itself. Learn how to configure Hexnode Access for Windows to enhance the login experience for users.

How to allow login to Windows using IdPs?

Here’s how you configure the Hexnode Access policy to allow login to Windows using IdPs.

1. Login to the Hexnode UEM portal.
2. Navigate to Policies, select an existing policy, or click on New Policy to create a new one.
3. Navigate to Windows > Security > Hexnode Access and click Configure.

Clicking “Configure” will present you with the following options for Hexnode Access configuration:

Basic Settings:

Identity provider – Admins can choose the preferred IdP from the dropdown list. Hexnode Access supports Microsoft Entra ID and Google Workspace.

1. Microsoft Entra ID

1. Configure authentication by – There are two available options for configuring authentication with Microsoft Entra ID. Administrators can either proceed with the IdP domains already added to the Hexnode UEM portal or create a new app registration in the IdP portal. These two options are explained briefly as follows.

   Azure AD domains added to Hexnode portal – Administrators have the option to choose from the domains listed under Admin > Azure AD in the Hexnode UEM portal to configure the authentication.

   

   • Domains – Choose one or more domains from the drop-down list. The selected domains will be displayed below the drop-down menu, and you have the option to remove any that are not needed.
   • Allow access for all users – Check this box if you want to grant device access to all the user groups within the domain.
   • Allow access only for – If access to the device should not be granted to all user groups in the selected domains, specify the ones that should be granted access in this field.
2. Create a new app registration in Microsoft Azure portal – A new app registration must be created for the Hexnode Access app in the Microsoft Entra ID portal.

How to register Hexnode Access with Microsoft Entra ID?

Create a new app registration:

1. Login to the Microsoft Azure portal.
2. Click on the Show portal menu icon at the left top corner of the page and navigate to Microsoft Entra ID > Manage > App registrations > New registration.
3. Enter Hexnode Access in the Name field.
4. Under the Supported account types field, select Accounts in this organizational directory only (company name only – Single tenant).
5. Under the Redirect URI field, select Web from the Select a platform drop-down and enter a valid URI in the adjacent field. The URI will be of the format https://portalname.hexnodemdm.com/azure_devicelogin_callback . In the above URI format, replace the portalname with the name of the corresponding Hexnode UEM portal’s name.
6. Click Register.

After registering the app in the Microsoft Azure portal, return to the Hexnode UEM portal to continue configuring the authentication settings.

Client ID – Provide the Application/Client ID of the registered app obtained from the Microsoft Azure portal. This will be used to authenticate the user.

To find the Client ID,

1. Click on the menu icon located at the top left corner of the page.
2. Navigate to Microsoft Entra ID > Manage > App registrations > All applications.
3. Select the specific application you require and view its Client ID.

Tenant ID – Provide the Directory/Tenant ID obtained from the Microsoft Azure portal.

Client secret – Provide the client secret of the registered app, which is known only by the app and your IdP.

To obtain the client secret from the Microsoft Azure portal, follow these steps:

1. Click on the Show portal menu icon located in the top-left corner of the page.
2. Navigate to Microsoft Entra ID > Manage > App registrations > All applications.
3. Select the required application.

Click on Client credentials to view the Client secret.

If the Client secret hasn’t been generated yet, follow these additional steps:

1. Click on Client credentials.
2. Then, click on Add a certificate or secret.
3. Select New client secret and click Add.
Note:


Once the device is connected to Microsoft Entra ID, the option “Login with Work Account” will be listed under the “Sign-in options” in the “Other user” section on the login screen of the device.



2. Google Workspace

Configure authentication by – There are two available options for configuring authentication with Google Workspace.

1. Google Workspace domains added to Hexnode portal – Administrators can choose domains listed under Admin > G Suite in the Hexnode UEM portal to set up authentication configurations.

   

   • Domains – Select one or more domains from the drop-down.
   • Allow access for all users – Check this box if you want to grant device access to all the user groups within the domain.
   • Allow access only for – If access to the device should not be granted to all user groups in the selected domains, specify the ones that should be granted access in this field.
2. Creating OAuth credentials in Google Cloud – OAuth credentials must be created for the Hexnode Access app in Google Cloud.
   

   How to create OAuth credentials for Hexnode Access?

   1. Login to Google Cloud.
   2. Click on the Navigation menu icon at the left top corner of the page and navigate to APIs and Services > Credentials.
   3. Click Create Credentials and select OAuth client ID.
   4. Select Web Application from the Application type drop-down.
   5. Enter Hexnode Access in the Name field.
   6. Click Add URI under Authorized Redirect URIs and enter a valid URI. The URI will be of the format https://portalname.hexnodemdm.com/gsuite_devicelogin_callback . Replace portalname with the corresponding Hexnode UEM portal’s name.
   7. Click Create.

   After registering the app and generating OAuth credentials in Google Cloud, return to the Hexnode UEM portal to continue configuring the authentication settings.

   Client ID – Provide the Client ID generated after creating the credentials, as it serves the purpose of authenticating users.

   Client secret – Provide the Client secret generated once the credentials are created. This value is confidential and is known only by the app and the IdP.

Account Settings

1. When selecting domains that have been added to the Hexnode portal:

   • Set user type of newly created user to Admin – Check the box to designate the user types of the newly created users as administrators.
   • Set Admin user type only for – If not all users require administrative privileges, indicate which users should be created as administrators.

2. When creating app registration with IdP:

   • Set user type of newly created user to Admin – Select the checkbox to grant admin privileges to the newly added users.

Login Settings

While you allow login to Windows devices using IdPs, you can also specify the login authentication settings. These settings let you determine if the user can access the device offline or how often the user should authenticate using the cloud IdP credentials.

1. Limit Offline Access – Mark the checkbox to mandate users to re-authenticate themselves using their cloud Identity Provider (IdP) credentials after a set period.
2. Require authentication every – If the option Limit Offline Access is checked, select the frequency for the periodic authentication from the drop-down:
   • Every login
   • Every 15 days
   • Every 30 days
   • Every 45 days
   • Every 60 days
   • Every 90 days
   • Every 120 days
   • Every 180 days

Login Window Appearance

1. Set login page background – Upload an image to configure it as the background for the login page.
2. Login page logo – Upload an image to configure it as the logo for the login page.

Click the ‘Preview‘ button to see a preview of how the login window will appear with the settings you’ve configured above.

Advanced Settings:

1. Allow access to network settings– Mark the checkbox to allow users to connect to a network from the login window. If enabled, users will have the option to click on ‘Network Settings’ on the login page and select their preferred network for connection.
2. Help URL – Provide a link that could prove useful to users when logging into the device, during the enrollment process, or onboarding.
3. Allow users to reset password – Mark this checkbox to allow users to reset their local user account password after authenticating with cloud account.

Login scripts

As you allow login to Windows using IdPs, the admin can also select a script to be executed automatically at every user login. The supported file formats for scripts include .bat, .cmd, and .ps1.

1. Choose script file source
   • Upload file – The option enables the user to upload the script directly from the device.
   • Hexnode Repository– The script can also be uploaded from the Hexnode Repository if the file is already added to My Files under the Content tab in the Hexnode UEM portal.
2. Script Name – On uploading files, the file name field will be auto-populated.
3. Arguments – If necessary, specify the arguments that would be required in the script.
4. Timeout – Scripts that don’t complete execution within the specified period will be forcefully terminated. It is recommended to leave this value unchanged. The minimum value is 15 minutes.

Associate policy with Windows devices

If the policy has not been saved:

• Navigate to Policy Targets.
• Click on Devices/ Device Groups/ Users/ User Groups/ Domains.
• Choose the targets and click OK and then Save.

If you have the policy saved already:

• Go to the Policies tab and choose the desired policy.
• Click on the Manage drop-down and select Associate Targets.
• Choose the target entities and click Associate. You can choose devices, users, groups, and domains as the policy targets.

What happens at the device end?

After the policy is applied to the device, the user has the option to either log in as they normally do with their local accounts or select the “Login with a work account” alternative. When the user clicks on “Log in with work account,” they are required to authenticate themselves using their cloud IdP credentials. After authentication, the user will be prompted to set a password for the new local account that is being created. Once it is done, the user will be logged into the device.