HERE'S WHY
Having secure devices plays a major role in meeting compliance requirements. We want to support as many Mobile Device Management solutions (MDMs) in addition to providing our agent. This article goes over how to set up Hexnode UEM & bring all of your compliance-related information from Hexnode to Drata.
BEFORE DIVING IN
Make sure that you have admin access to your company’s Hexnode account.
Make sure that your APN for Mac devices is configured in Hexnode before you enroll them. Click here for more information.
Make sure that the your devices you wish to monitor are enrolled through the Hexnode app. For more information on how to enroll Mac devices, please click here.
Currently, only desktop devices are supported for the Hexnode integration. We can not import data from tablets and mobile devices.
To access and configure Gatekeeper Policy, you must have an Ultra plan with Hexnode but this is not needed for our default checks.
Data from pre-approved enrolled devices can not be synced.
Hexnode cannot natively pick up browser extensions, so if those are being used as a password manager, that compliance check will fail. Your users will need to use the equivalent installed desktop application. Ensure that this app shows on the device's Application List.
At this time, Drata’s device compliance checks using the Hexnode connection confirms the following:
Does the policy of the required name and/or type exist?
Is that policy mapped to the device?
Is that device compliant with that policy?
HERE'S HOW
Policies in Hexnode
Creating policies in Hexnode is necessary for MacOS Disk Encryption, Firewall, Lock Screen, Auto Updates, and Antivirus compliance data.
FileVault
Log in to your Hexnode admin account.
Click on “Policies”
In the “My Policies” menu, please click on “New Policy”
Select “New Blank Policy”
Create a policy name and add a description
Note: When naming the FileVault policy, make sure to include “FileVault” in the name so Drata can detect the policy.
Go to the macOS section
In the left navigation bar, scroll down to the security section and select “FileVault”
Click on “Configure”
Confirm that the “Enable FileVault” and “Show Personal Recovery Key to user” boxes are checked.
Firewall
Configure a Firewall policy to ensure the firewall is active on all devices.
Click on “Policies”
In the “My Policies” menu, please click on “New Policy”
Select “New Blank Policy”
Create a policy name and add a description
Note: When naming the Firewall policy, make sure to include “Firewall” in the name so Drata can detect the policy.
Go to the macOS section
In the left navigation bar, scroll down to the security section and select “Firewall”
Click on “Configure”
Confirm that the “Enable Firewall” and “Allow incoming connections” options are selected.
Screensaver
Configure a Screensaver policy to ensure a screensaver is active on all devices.
Click on “Policies”
In the “My Policies” menu, please click on “New Policy”
Select “New Blank Policy”
Create a policy name and add a description
Note: When naming the Screensaver policy, make sure to include “Screensaver” in the name so Drata can detect the policy.
Go to the macOS section
In the left navigation bar, scroll down and select “Screensaver”
Click on “Configure”
Confirm that the “Enable Screensaver” and “Require Password to unlock screen” options are selected. We recommend setting “Login window screensaver idle time” and “Screensaver idle time” as 1 min. We recommend setting “Set delay for password prompt” as “immediately”.
Software Update
Click on “Policies”
In the “My Policies” menu, please click on “New Policy”
Select “New Blank Policy”
Create a policy name and add a description
Note: When naming the Software Update policy, make sure to include “Software Update ” in the name so Drata can detect the policy.
Go to the macOS section
In the left navigation bar, scroll down and select “OS Updates”
We recommend setting “Choose your OS update settings” as Install
Gate Keeper
To configure a Gate Keeper policy, you need to be on Hexnode’s Ultra Plan.
Configure a Screensaver policy to ensure a screensaver is active on all devices.
Click on “Policies”
In the “My Policies” menu, please click on “New Policy”
Select “New Blank Policy”
Create a policy name and add a description
Note: When naming the Gate Keeper policy, make sure to include “Gate Keeper” in the name so Drata can detect the policy.
Go to the macOS section
In the left navigation bar, scroll down and select “Advanced Restrictions”
Click on “Configure”
Recommended options:
All options in the “Device Functionality and Personalization” are selected.
All options in the “Security and Privacy” section are selected except for “Activation lock”.
No options in the “App Store” section are selected.
In the “App Installation From” dropdown, select “Mac App Store and Identified Developers”.
Connecting Hexnode to Drata
Log into your Hexnode admin account and click on “Enroll”. Keep note of the “Server” URL. That will be entered as the API URL in Drata during setup.
Click on “Admin”
Scroll down on the left navigation bar and click on “API”
Click the lock icon to reveal the API Key and take note of that key.
Return to Drata and click on your company’s name in the lower left of the blue sidebar. Click “Connections” from the menu.
Scroll down and look for “Hexnode” and click “Connect”
A drawer will extend asking the API URL and API Token. When entering the API URL from Hexnode, make sure to include “https://” at the front of the URL. Enter the API Key from Hexnode as the Token in Drata.
Once you enter the account details please click “Save & Test Connection” at the bottom.
We need to Configure Hexnode in Drata for employee onboarding. Go back to your company name on the left side and click on “Internal Security.”
Turn on “Automated via Hexnode MDM'' and switch off “Automated via Drata Agent" to disable the Drata Agent. Note: If both remain on, and the Drata agent is installed on a personnel’s computer, the Drata agent will take precedence over any MDM. This means employee compliance data related to that device will come from the Agent and not the connected MDM.
Congratulations, your Hexnode Integration setup is complete!
Drata will pull data from Hexnode daily once Autopilot completes running.