Hexnode pricing guide: Which plan should you choose?

Hexnode sells four different products: UEM, XDR, IdP, and Hexnode Suite. Most people typically choose just a UEM (Unified Endpoint Management). However, you will need XDR for advanced threat detection, IdP for identity management, or the Hexnode Suite if you want all three tools bundled into a single platform.

If you’re wondering whether an Ultimate UEM plan is enough or if you need Hexnode Suite, you're not alone. The distinction isn't always obvious from Hexnode's pricing pages because choosing the right tier requires understanding how these components interact. Before diving into individual pricing tiers, let's look at what each core product actually does under the hood.

Understanding Hexnode's core products

Hexnode offers four different products. Here's what each one does:

UEM (Unified Endpoint Management)

This is the device management platform. UEM manages iOS, Android, Windows, macOS, Linux, ChromeOS, tvOS, and Fire OS devices from one console.

What UEM actually does:

• Deploy apps remotely to managed devices

• Enforce security policies (passcodes, encryption, restrictions)

• Lock devices into kiosk mode for single-app or multi-app use

• Track device location

• Remote wipe corporate data

• Control Wi-Fi, VPN, and email configurations

• Run custom scripts on Windows, Mac, and Linux endpoints

If you're managing corporate devices and need central control, UEM is your starting point.

XDR (Extended Detection & Response)

This is Hexnode's security layer. XDR monitors endpoints for threats and helps you respond to attacks.

What XDR actually does:

• Detect malware, ransomware, and suspicious processes in real time

• Map attacks to MITRE ATT&CK framework tactics

• Prioritize alerts by severity (not all alerts are created equal)

• Isolate infected devices with one click

• Terminate malicious processes remotely

• Show attack chains (how the threat moved through your network)

• Generate compliance reports for audits

If you're responsible for endpoint security beyond device management, XDR adds threat detection and response.

IdP (Identity Provider)

This bridges identity and device health. IdP ensures only compliant, managed devices can access corporate SSO applications.

What IdP actually does:

• Verify device compliance before granting access

• Integrate with existing identity providers (Okta, Microsoft Entra ID, Google Workspace)

• Block access from unmanaged or non-compliant devices

• Sync user directories with device policies

• Enforce device-aware conditional access

You need IdP if you're implementing zero-trust access. Standard SSO verifies the user. IdP verifies both the user and the device health.

Hexnode Suite

Suite bundles UEM + XDR + IdP into one package. Hexnode doesn't publish Suite pricing. You request a custom quote.

Why bundle? If you need all three products, Suite pricing saves you up to 30% compared to buying each separately. The catch is you need all three. If you only need UEM + XDR, buying them separately makes more sense.

Suite is ideal for organizations with complex security requirements. Think: financial services, healthcare, government contractors. These industries often need device management, threat detection, AND device-aware access control.

What you need to know about minimums and limits

All Hexnode plans have three hidden rules that impact your total cost and who on your team can use the software.

The minimum device criteria

Every plan requires at least 15 devices. So you need to pay for 15 devices even if you only manage 10.

Technician limits (and add-on costs)

Each plan includes a set number of admin accounts:

• Pro: 2 technicians

• Enterprise: 3 technicians

• Ultimate: 4 technicians

• Ultra: 5 technicians

Need more admins? Each additional technician costs $30/month or $324/year.

Example: You subscribe to Enterprise (3 included technicians). Your team has 6 IT admins. You pay an extra $972/year for 3 additional seats.

Hexnode UEM pricing tiers explained

Hexnode UEM has four pricing tiers. Here's what unlocks at each tier:

Pro: $2.4/device/month (Mobile-only)

The entry tier. Built exclusively for iOS and Android management. No support for Windows, macOS, or tvOS.

Pro covers the basics for mobile device management. You can deploy apps, configure email and VPN, track device location, and lock devices into kiosk mode.

What's included

• Kiosk Management (Mobile)

• App Management (Mobile)

• Location Tracking

• Apple Business Manager

• Android Enterprise

• Samsung Knox

• Advanced MDM features: Email, VPN, ActiveSync, Certificates

• API integrations

• 2 Technicians (super admin + 1)

What's NOT included

• No Windows, macOS, or tvOS support. If you have any desktop computers or Apple TVs, Pro won't manage them.

• No Remote Control. You can't view or control device screens remotely. If a user needs help, you can't see their screen.

• Can't add more technicians. Stuck at 2 admin accounts. If you need a third technician, you'll need to upgrade to Enterprise.

Best for

Mobile-only deployments. You're managing iPads for a retail store, Android tablets for warehouse workers, or iPhones for field sales reps.

Small teams where 2 technicians are enough. Maybe a small business with one IT admin and one backup.

Enterprise: $3.2/device/month (Basic UEM)

Everything in Pro, plus basic desktop OS management and directory integrations.

Enterprise adds desktop OS support, so you can manage mobile and desktop from one console.

What’s included

• Windows, macOS, tvOS management (basic level)

• Remote View (see device screens, can't control)

• Directory Integrations (Microsoft Entra ID, Active Directory, Google Workspace)

• Geofencing

• Web Content Filtering (mobile)

• Hexnode Gateway (migration tool for Windows/Mac onboarding)

• 3 Technicians

What’s different from Pro

Desktop OS support. If you manage Windows laptops, Macs, or Apple TVs alongside mobile devices, Enterprise is your entry point.

Directory integrations. If you use Active Directory or Azure AD, Enterprise syncs with those systems.

Best for

Mixed device environments. You're managing iPhones, Windows laptops, and maybe some Macs.

Organizations using Microsoft Entra ID, Active Directory, or Google Workspace. The directory integration automates device policy assignment.

Teams that need remote viewing for support but don't need full remote control.

3-person IT teams. If you have exactly 3 admins, Enterprise's included technician seats work perfectly.

Ultimate: $4.7/device/month (Advanced UEM)

Everything in Enterprise, plus the automation and control features most IT teams actually need.

Ultimate is the most popular tier because it unlocks remote control and custom scripting. For most teams, these two features alone are reason enough to upgrade.

What’s included

• Remote Control (not just view, you can actually take over device screens)

• Custom Scripting (automate tasks with PowerShell, Bash, Shell, Python)

• FileVault for macOS (full-disk encryption enforcement)

• App Management for Windows and Mac

• Windows Autopilot

• Advanced Reporting (scheduled reports)

• Basic Okta SSO (login to Hexnode via Okta, Google, Microsoft accounts)

• Custom Roles - Level 1 (restrict technician access to specific console tabs)

• 4 Technicians

What’s different from Enterprise

Remote Control changes support workflows. Help desk resolves issues in minutes instead of hours. No more screen-sharing via Teams while walking users through settings.

Custom Scripting enables automation at scale. Push a registry fix to 1,000 Windows laptops in 10 minutes. Without scripting, you'd need Group Policy or manual work.

FileVault enforcement for macOS. If your security standards require encrypted Mac endpoints, Ultimate is where you start.

Best for

Organizations that need remote control, custom automation, and advanced macOS management features, while staying below enterprise-level requirements.

Ultra: Request Pricing (Enterprise-grade)

Everything in Ultimate, plus features built for large Windows fleets and strict security compliance.

Hexnode doesn't publish Ultra pricing. You contact sales for a custom quote. Pricing depends on device count, contract length, and specific features needed.

What’s included

• BitLocker for Windows (full-disk encryption)

• OS Patch Management for macOS and Windows (centralized patch deployment)

• Okta Device Trust (extends basic SSO with device compliance verification)

• Hexnode Access (streamlines macOS/Windows user login)

• Custom Roles - Level 2 (restrict specific console actions, not just tabs)

• Genie AI features: Chat (help repository Q&A), Script (auto-generate scripts), Fix (AI troubleshooting)

• SCCM integration

• 5 Technicians

What’s different from Ultimate

Patch Management is the biggest reason to choose Ultra for Windows-heavy environments. If you're managing 500+ Windows laptops, automating patch deployment saves significant time and cuts security risk.

BitLocker enforcement for Windows compliance. Many frameworks require encrypted endpoints. Ultimate delivers FileVault for Macs. Ultra adds BitLocker for Windows.

Device Trust SSO matters for regulated industries. Financial services, healthcare, and government contractors often require device-level authentication for all admin tools.

Best for

Security-conscious organizations that require advanced compliance controls, patch management, encryption enforcement, and enterprise-grade integrations.

Hexnode XDR pricing plan

Hexnode XDR is a threat detection and response product. Unlike UEM (which has four tiers), XDR has one plan priced at $5.5/device/month. 

XDR addresses a different problem than UEM. UEM manages devices and enforces policies. XDR detects threats and responds to attacks.

What's included

• Real-time endpoint threat detection

• Unified management console

• Custom detection rules and policies

• Alert prioritization and severity scoring

• MITRE ATT&CK® mapping

• Reporting and compliance dashboards

• Admin audit logs

• Live terminal response

• Attack chain visualization

• Real-time process visualization

• Role-based access control

How XDR integrates with UEM

• Standalone mode: XDR runs independently. You install the XDR agent on endpoints. You manage threats from the XDR console. UEM is not involved.

• Integrated mode: XDR threat intelligence feeds into UEM policies. When XDR detects a compromised device, UEM automatically quarantines it (blocks network access, disables certain apps, triggers compliance workflows). Automated threat response without manual intervention.

Best for

Organizations needing endpoint threat detection alongside device management. Can be purchased standalone or bundled with UEM.

Hexnode products that require custom quotes

Two Hexnode products do not have published pricing.

Hexnode IdP pricing plans

IdP handles identity and access management. It ties user identity to device health, so only compliant, managed devices can reach your corporate SSO applications.

Why custom quote

IdP likely bills per user (not per device), and the integration complexity varies based on existing directory infrastructure (Microsoft Entra ID, Google Workspace, Okta).

Who needs it

Organizations wanting device-aware access control. Enforce device compliance before granting SSO access.

Hexnode Suite pricing

The Hexnode Suite bundles UEM + XDR + IdP into one package.

Pricing

Request quote. Hexnode claims you can save up to 30% compared to buying each product separately.

Who needs it

This is for organizations that need the full endpoint security stack: device management, threat detection, and identity management.

So, which Hexnode plan should you choose?

There's no perfect answer. Every tier has a tradeoff in price, platform coverage, or features.

But here's a decision tree that can help:

• Choose Pro if you're managing only iOS and Android devices, have two technicians or fewer, and want to keep costs low.

• Choose Enterprise if you're managing a mixed environment (mobile plus Windows/Mac) or need directory integrations like Entra ID with three technicians.

• Choose Ultimate if you need remote control capabilities, require automation with custom scripts, want macOS FileVault enforcement, have up to four technicians, and need advanced features without enterprise-only restrictions.

• Choose Ultra if BitLocker enforcement is mandatory, OS patch management is critical, SCCM integration is required, you need high security compliance, and your budget allows for top-tier features.

• Consider XDR if you need real-time threat detection and automated response alongside device management, and are willing to add $5.5 per device per month to your UEM cost.

Start with the 14-day free trial. You get full Ultra access. Test it with your real devices. Note which features save your team time and which you never touch. Then subscribe to the plan that fits your team.

Moving beyond device management with SuperOps

Hexnode helps manage devices. SuperOps helps run IT operations from a central console. If you're choosing a UEM platform, you're solving one problem: device control. But most IT teams need more than device control. 

They need tickets connected to device data. They need automation that acts across endpoints and help desk workflows. They need one platform where device health feeds directly into service delivery.

That's where SuperOps fits.

What SuperOps delivers that Hexnode doesn't

SuperOps unifies endpoint management, help desk, asset tracking, patching, and monitoring in one platform. Device data flows into every IT workflow automatically.

• Native IT help desk: Every ticket carries live device context. When a user reports an issue, the ticket shows: device health, patch status, installed apps, recent changes. Your help desk team sees everything without switching tools. Hexnode has no ticketing system. You need a separate ITSM tool.

• Monica AI remediation: Monica AI works across endpoints and tickets at the same time. It detects a patch compliance issue, creates a ticket, deploys the patch, and closes the ticket. Agentic automation across the full IT workflow. Hexnode manages device policies. It doesn't remediate tickets.

• Cross-OS UEM coverage: SuperOps manages Windows, macOS, iOS, and Android from one console. Same depth as Hexnode for mobile device management. But SuperOps adds the help desk layer that Hexnode lacks.

• Asset management connected to devices: SuperOps tracks assets using live endpoint data. Asset records stay current because they pull from live device data. No manual spreadsheet updates. Hexnode focuses on device policies, not asset lifecycle.

• Network and infrastructure monitoring: SuperOps monitors network devices, servers, and SNMP-enabled infrastructure alongside endpoints. Hexnode manages endpoints only. If you need network visibility, you need another tool.

• Pricing models: Hexnode charges per device and limits admin accounts (2 to 5 technicians, depending on tier). SuperOps offers two pricing models: per-technician for MSPs (with unlimited devices) and per-endpoint for IT teams. Choose the model that fits your use case. 

Conclusion

Hexnode pricing follows a simple pattern. Pro handles mobile-only fleets. Enterprise adds basic desktop support and directory integrations. Ultimate unlocks Remote Control and Custom Scripting. Ultra adds BitLocker and patch management for enterprise Windows environments. Most teams choose Ultimate because it delivers the automation features IT teams actually use without paying for enterprise-only capabilities.

The 14-day free trial gives you full Ultra access with no credit card required. Test your actual workflows with your real devices. Map which features save your team time and which features you never touch.

Hexnode charges per device with strict technician limits. SuperOps offers two pricing models: per-technician for MSPs (with unlimited devices) and per-endpoint for IT teams.

If you need device management connected to your help desk workflows, SuperOps handles both. With AI-driven remediation built in, it can actively replace your UEM tool and your ITSM platform. 

Start your SuperOps free trial today.

Frequently asked questions

Is Hexnode free?

Hexnode offers a 14-day free trial with full Ultra access. No free plan exists after the trial.

What is the difference between Hexnode and Intune?

Hexnode is a third-party UEM supporting iOS, Android, Windows, macOS, Linux, ChromeOS, and more. Intune is Microsoft's native solution, tightly integrated with Microsoft 365 and Azure AD. Hexnode offers broader OS support. Intune works best in Microsoft-heavy environments.

What is the difference between Hexnode and FileWave?

Both are UEM platforms. FileWave focuses on macOS and iOS management with strong imaging and deployment capabilities. Hexnode supports more OS platforms (including Android, Linux, ChromeOS). FileWave pricing is typically higher and targets education/enterprise markets. Hexnode offers more accessible entry tiers.

Is Hexnode an MDM?

Yes. Hexnode started as an MDM (Mobile Device Management) solution. It has evolved into a full UEM (Unified Endpoint Management) platform that manages mobile and desktop OS.

Does pricing vary by operating system?

No. Hexnode charges per device regardless of OS. One iOS device costs the same as one Windows device.

What happens to my data after the trial expires?

Your data is retained for 30 days after trial expiration. You can subscribe to any paid plan within 30 days to keep your data. After 30 days, data is deleted permanently.

How do I get pricing for Ultra?

Request a quote via Hexnode's website. The sales team provides custom pricing based on device count and deployment requirements.

Can I downgrade my plan later? 

Yes. You can downgrade at the end of your billing cycle. Though you'll lose access to higher-tier features at the end of the billing cycle.