Role-based access control and Endpoint Management support

Endpoint Management uses role-based access control (RBAC) to restrict user and group access to Endpoint Management system functions, such as the Endpoint Management console, Self-Help Portal, and public API. This article describes the roles built in to Endpoint Management and includes considerations for deciding on a support model for Endpoint Management that leverages RBAC.

Built-In roles

You can change the access granted to the following built-in roles and you can add roles. For the full set of access and feature permissions associated with each role and their default setting, download Role-Based Access Control Defaults
. For a definition of each feature, see Configure roles with RBAC
.

Admin role

Default access granted:

• Full system access except to the Self-Help Portal.
• By default, administrators can perform some support tasks, such as check connectivity and create support bundles.

Considerations:

• Do some or all of your administrators need access to the Self-Help Portal? If so, you can edit the Admin role or add Admin roles.
• To restrict access further for some administrators or administrator groups, add roles based on the Admin template and edit the permissions.

User

Default access granted:

• Access to the Self-Help Portal, which lets authenticated users generate enrollment links. The links allow them to enroll their devices or send themselves an enrollment invitation.
• Restricted access to the Endpoint Management console: device features (such as wipe, lock/unlock device; lock/unlock container; see location and set geographic restrictions; ring the device; reset container password); add, remove, and send enrollment invitations.

Considerations:

• The User role enables you to enable users to help themselves.
• To support shared devices, create a user role for shared device enrollment.

Considerations for a Endpoint Management support model

The support models that you can adopt can vary widely and might involve third parties who handle level 1 and 2 support while employees handle level 3 and 4 support. Regardless of how you distribute the support load, keep in mind the considerations in this section specific to your Endpoint Management deployment and user base.

Do users have corporate-owned or BYO devices?The primary question that influences support is who owns the user devices in your Endpoint Management environment. If your users have corporate-owned devices, you might offer a lower level of support, as a way to lock down the devices. In that case, you might provide a help desk that assists users with device issues and how to use the devices. Depending on the types of devices you need to support, consider how you might use the RBAC Device Provisioning and Support roles for your help desk.

If your users have BYO devices, your organization might expect users to find their own sources for device support. In that case, the support your organization provides is more of an administrative role focused around Endpoint Management-specific issues.

What is your support model for desktops?Consider whether your support model for desktops is appropriate for other corporate-owned devices. Can you use the same support organization? What additional training will they need?

Do you want to give users access to the Endpoint Management Self-Help Portal?Although some organizations prefer not to grant users access to Endpoint Management, giving users some self-support capabilities can ease the load on your support organization. If the default User role for RBAC includes permissions that you don’t want to grant, consider creating a new role with only the permissions you want to include. You can create as many roles as needed to meet your requirements.