System Center Mobile Device Manager uses role-based access control. Unlike an authentication system that specifies who a user is, role-based access is an authorization system that specifies what a user is authorized to access and what tasks that person can perform.
This topic describes Tasks by Administrator Roles, and Tasks and Administrator Roles by Cmdlet.
The following shows the Administrator Roles:
-
DeviceAdministrators
-
DeviceSupport
-
HelpdeskOperator
-
ServerAdministrators
-
SecurityAdministrators
-
ReadOnlyUsers
These roles are represented through MDM infrastructure groups that the Active Directory Configuration Tool (ADConfig) creates. For more information about these groups, see "ADConfig Tool" in the MDM Technical Library on TechNet .
Tasks by Administrator Roles
The following shows the tasks that each administrator role gives users.
DeviceAdministrators
The DeviceAdministrators role is represented through the SCMDMDeviceAdmins ( <instance name>) infrastructure group that ADConfig creates.
The following shows the tasks that a user who has the DeviceAdministrators role can perform.
Cmdlet | Task | ||
---|---|---|---|
Add a compromised managed Windows Mobile device to the blocked device table. |
|||
Suspend all currently active device inventory collection tasks. |
|||
Resume all device inventory collection tasks that were suspended by using the Disable-MDMInventory cmdlet. |
|||
Return information about the current set of managed blocked devices. |
|||
Return the current global device management configuration. |
|||
Return the current configuration of the Enrollment service. |
|||
Return pending managed device enrollment requests. |
|||
Return operational log entries from the Enrollment service database. |
|||
Return an MDMInstance object that represents the MDM instance that the current MDM Console is managing.
|
|||
Return information about devices that MDM manages. |
|||
Return the complete set of transaction information for the specified managed device from the server operations log file. |
|||
Return the complete set of collected inventory data for the specified managed device. |
|||
Return status information for the specified managed device. |
|||
Return the current gateway-specific settings and the last known configuration status. |
|||
Return the global virtual private network (VPN) settings shared among all computers that are running MDM Gateway Server. |
|||
Return a collection of MDMInstance objects that represent the MDM instances in your company.
|
|||
Return the currently active device inventory collection tasks. |
|||
Return the collection of servers in MDM. |
|||
Return the current configuration of the Group Policy service. |
|||
Return the current configuration of MDM software distribution service. |
|||
Return the current configuration of the wipe service. |
|||
Return the unprocessed wipe requests for the specified managed device. |
|||
Create a new managed device enrollment request. |
|||
Create a new device inventory collection task. |
|||
Create a new wipe request that deletes all content on the targeted managed device. |
|||
Remove a managed device from the Blocked Device Table. |
|||
Remove a pending enrollment request for a managed device. |
|||
Remove operational log entries from the Enrollment service database. |
|||
Remove the specified device inventory collection task from the task list on the server. |
|||
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
|||
Set all device inventory collection settings to their default values. |
|||
Set the global device management configuration values. |
|||
Update the current configuration of the Enrollment service by using the provided values. |
|||
Configure the current MDM Console to manage a specific MDM instance.
|
|||
Update the global VPN settings shared among all computers that are running MDM Gateway Server. |
|||
Set the collection frequency for a device inventory collection item. |
|||
Set the configuration of the Group Policy service. |
|||
Set the configuration of MDM software distribution service. |
|||
Configure the properties of the wipe service. |
|||
Update each MDM Gateway Server by sending configuration and other information from the Mobile Device Manager Gateway Central Management component of MDM Device Management Server.
|
|||
Update the Resultant Set of Policy (RSoP) held by the server for a given device. |
DeviceSupport
The DeviceSupport role is represented through the SCMDMDeviceSupport ( <instance name>) infrastructure group that ADConfig creates.
The following shows the tasks that a user who has the DeviceSupport role can perform.
Cmdlet | Task | ||
---|---|---|---|
Add a compromised managed device to the blocked device table. |
|||
Return information about the current set of managed devices that are blocked |
|||
Return the current global device management configuration. |
|||
Return the current configuration of the Enrollment service. |
|||
Return pending managed device enrollment requests. |
|||
Return operational log entries from the Enrollment service database. |
|||
Return an MDMInstance object that represents the MDM instance that the current MDM Console is managing.
|
|||
Return information about devices that MDM manages. |
|||
Return the complete set of transaction information for the specified managed device from the server operations log file. |
|||
Return the complete set of collected inventory data for the specified managed device. |
|||
Return status information for the specified managed device. |
|||
Return the current gateway-specific settings and the last known configuration status. |
|||
Return the global VPN settings shared among all computers that are running MDM Gateway Server. |
|||
Return a collection of MDMInstance objects that represent the MDM instances in your company.
|
|||
Return the currently active device inventory collection tasks. |
|||
Return the collection of servers in MDM. |
|||
Return the current configuration of the Group Policy service. |
|||
Return the current configuration of MDM software distribution service. |
|||
Return the current configuration of the wipe service. |
|||
Return the unprocessed wipe requests for the specified managed device. |
|||
Create a new managed device enrollment request. |
|||
Create a new wipe request that deletes all content on the targeted managed device. |
|||
Remove a managed device from the Blocked Device Table. |
|||
Remove a pending enrollment request for a managed device. |
|||
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
|||
Configure the current MDM Console to manage a specific MDM instance.
|
|||
Update the RSoP held by the server for a given device. |
HelpdeskOperator
The HelpdeskOperator role is represented through the SCMDMHelpdeskOperator ( <instance name>) infrastructure group that ADConfig creates.
The following shows the tasks that a user who has the HelpDeskOperator role can perform.
Cmdlet | Task | ||
---|---|---|---|
Return information about the current set of managed devices that are blocked. |
|||
Return the current global device management configuration. |
|||
Return the current configuration of the Enrollment service. |
|||
Return pending managed device enrollment requests. |
|||
Return operational log entries from the Enrollment service database. |
|||
Return an MDMInstance object that represents the MDM instance that the current MDM Console is managing.
|
|||
Return information about devices that MDM manages. |
|||
Return the complete set of transaction information for the specified managed device from the server operations log file. |
|||
Return the complete set of collected inventory data for the specified managed device. |
|||
Return status information for the specified managed device. |
|||
Return the current gateway-specific settings and the last known configuration status. |
|||
Return the global VPN settings shared among all computers that are running MDM Gateway Server. |
|||
Return a collection of MDMInstance objects that represent the MDM instances in your company.
|
|||
Return the currently active device inventory collection tasks. |
|||
Return the collection of servers in MDM. |
|||
Return the current configuration of the Group Policy service. |
|||
Return the current configuration of MDM software distribution service. |
|||
Return the current configuration of the wipe service. |
|||
Return the unprocessed wipe requests for the specified managed device. |
|||
Create a new managed device enrollment request. |
|||
Remove a pending enrollment request for a managed device. |
|||
Configure the current MDM Console to manage a specific MDM instance.
|
|||
Update the RSoP held by the server for a given device. |
ServerAdministrators
The ServerAdministrators role is represented through the SCMDMServerAdmins ( <instance name>) infrastructure group that ADConfig creates.
The following shows the tasks that a user who has the ServerAdministrators role can perform.
Cmdlet | Task | ||
---|---|---|---|
Add a new computer that is running MDM Gateway Server to MDM. |
|||
Disable Windows Preprocessor (WPP) logging for one or more components.
|
|||
Enable WPP logging for one or more components.
|
|||
Return information about the current set of managed devices that are blocked. |
|||
Return the current global device management configuration. |
|||
Return the current configuration of the Enrollment service. |
|||
Return pending managed device enrollment requests. |
|||
Return operational log entries from the Enrollment service database. |
|||
Return an MDMInstance object that represents the MDM instance that the current MDM Console is managing.
|
|||
Return information about devices that MDM manages. |
|||
Return the complete set of transaction information for the specified managed device from the server operations log file. |
|||
Return the complete set of collected inventory data for the specified managed device. |
|||
Return status information for the specified managed device. |
|||
Return the current gateway-specific settings and the last known configuration status. |
|||
Return the global VPN settings shared among all computers that are running MDM Gateway Server. |
|||
Return a collection of MDMInstance objects that represent the MDM instances in your company.
|
|||
Return the currently active device inventory collection tasks. |
|||
Return the collection of servers in MDM. |
|||
Return information about the currently enabled and active Windows Software Trace Preprocessor (WPP) components. |
|||
Return the current configuration of the Group Policy service. |
|||
Return the current configuration of MDM software distribution service. |
|||
Return the current configuration of the wipe service. |
|||
Return the unprocessed wipe requests for the specified managed device. |
|||
Remove MDM Gateway Server and all corresponding properties from MDM. |
|||
Set the global device management configuration values. |
|||
Update the current configuration of the Enrollment service by using the provided values. |
|||
Configure the current MDM Console to manage a specific MDM instance.
|
|||
Update the current settings for the specified MDM Gateway Server. |
|||
Update the global VPN settings shared among all computers that are running MDM Gateway Server. |
|||
Set the configuration of the Group Policy service. |
|||
Set the configuration of MDM software distribution service. |
|||
Configure the properties of the wipe service. |
|||
Start the VPN service on the specified MDM Gateway Server. |
|||
Stop the VPN service on the specified MDM Gateway Server. |
|||
Update each MDM Gateway Server by sending configuration and other information from the MDM GCM component of MDM Device Management Server.
|
|||
Update the RSoP held by the server for a given device. |
SecurityAdministrators
The SecurityAdministrators role is represented through the SCMDMSelfSecurityAdmins ( <instance name>) infrastructure group that ADConfig creates.
Security administrators have no explicit permissions on any cmdlet. However, these users, created by ADConfig.exe /createinstance, have permissions to add and remove members from all other MDM administrator groups. Domain administrators can delegate the security of MDM to security administrators.
ReadOnlyUsers
The ReadOnlyUsers role is represented through the SCMDMReadOnlyUsers ( <instance name>) infrastructure group that ADConfig creates.
The following table shows the tasks that a user who has the ReadOnlyUsers role can perform.
Cmdlet | Task | ||
---|---|---|---|
Return information about the current set of managed blocked devices. |
|||
Return the current global device management configuration. |
|||
Return the current configuration of the Enrollment service. |
|||
Return pending managed device enrollment requests. |
|||
Return operational log entries from the Enrollment service database. |
|||
Return an MDMInstance object that represents the MDM instance that the current MDM Console is managing.
|
|||
Return information about devices that MDM manages. |
|||
Return the complete set of transaction information for the specified managed device from the server operations log file. |
|||
Return the complete set of collected inventory data for the specified managed device. |
|||
Return status information for the specified managed device. |
|||
Return the current gateway-specific settings and the last known configuration status. |
|||
Return the global virtual private network (VPN) settings shared among all computers that are running MDM Gateway Server. |
|||
Return a collection of MDMInstance objects that represent the MDM instances in your company.
|
|||
Return the currently active device inventory collection tasks. |
|||
Return the collection of servers in MDM. |
|||
Return the current configuration of the Group Policy service. |
|||
Return the current configuration of MDM software distribution service. |
|||
Return the current configuration of the wipe service. |
|||
Return the unprocessed wipe requests for the specified managed device. |
|||
Configure the current MDM Console to manage a specific MDM instance.
|
Tasks and Administrator Roles by Cmdlet
The following shows the tasks that each role can perform.
Cmdlet | Task | Required Admin Role | ||
---|---|---|---|---|
Add a compromised managed device to the blocked device table. |
DeviceAdministrators DeviceSupport |
|||
Add a new computer that is running MDM Gateway Server to MDM. |
ServerAdministrators |
|||
Suspend all currently active device inventory collection tasks. |
DeviceAdministrators |
|||
Disable WPP logging for one or more components. |
ServerAdministrators or local machine administrators when run from a computer that is running MDM when there are no local administrator privileges. |
|||
Resume all device inventory collection tasks that were suspended with the Disable-MDMInventory cmdlet. |
DeviceAdministrators |
|||
Enable WPP logging for one or more components. |
ServerAdministrators role, or local machine administrators when run from a computer that is running MDM when there are no local administrator privileges. |
|||
Return information about the current set of managed devices that are blocked. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return the current global device management configuration. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return the current configuration of the Enrollment service. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return pending managed device enrollment requests. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return operational log entries from the Enrollment service database. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return an MDMInstance object that represents the MDM instance that the current MDM Console is managing. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers
|
|||
Return information about managed devices that controls. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return the complete set of transaction information for the specified managed device from the server operations log file. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return the complete set of collected inventory data for the specified managed device. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return status information for the specified managed device. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return the current gateway-specific settings and the last known configuration status. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return the global VPN settings shared among all computers that are running MDM Gateway Server. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return a collection of MDMInstance objects that represent the MDM instances in your company. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers
|
|||
Return the currently active device inventory collection tasks. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return the collection of servers in MDM. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return information about the currently enabled and active Windows Software Trace Preprocessor (WPP) components. |
ServerAdministrator |
|||
Return the current configuration of the Group Policy service. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return the current configuration of MDM software distribution service. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|||
Return the current configuration of the wipe service. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Return the unprocessed wipe requests for the specified managed device. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers |
|||
Create a new managed device enrollment request. |
DeviceAdministrators DeviceSupport HelpdeskOperator |
|||
Create a new device inventory collection task. |
DeviceAdministrators |
|||
Create a new wipe request that deletes all content on the targeted managed device. |
DeviceAdministrators DeviceSupport |
|||
Remove a managed device from the Blocked Device Table. |
DeviceAdministrators DeviceSupport |
|||
Remove a pending enrollment request for a managed device. |
DeviceAdministrators DeviceSupport HelpdeskOperator |
|||
Remove operational log entries from the Enrollment service database. |
DeviceAdministrators |
|||
Remove MDM Gateway Server and all corresponding properties from MDM. |
ServerAdministrators |
|||
Remove the specified device inventory collection task from the task list on the server. |
DeviceAdministrators |
|||
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
DeviceAdministrators DeviceSupport |
|||
Set all device inventory collection settings to their default values. |
ServerAdministrators DeviceAdministrators |
|||
Set the global device management configuration values. |
ServerAdministrators DeviceAdministrators |
|||
Update the current configuration of the Enrollment service by using the provided values. |
ServerAdministrators DeviceAdministrators |
|||
Grant the MDM Enrollment Server permission to create computer objects for managed devices in the specified Active Directory container. |
Domain Administrator |
|||
Configure the current MDM Console to manage a specific MDM instance. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator ReadOnlyUsers
|
|||
Update the current settings for the specified MDM Gateway Server. |
ServerAdministrators |
|||
Update the global VPN settings shared among all computers that are running MDM Gateway Server. |
ServerAdministrators DeviceAdministrators |
|||
Set the collection frequency for a device inventory collection item. |
DeviceAdministrators |
|||
Set the configuration of the Group Policy service. |
ServerAdministrators DeviceAdministrators |
|||
Set the configuration of MDM software distribution service. |
ServerAdministrators DeviceAdministrators |
|||
Configure the properties of the wipe service. |
ServerAdministrators DeviceAdministrators |
|||
Start the VPN service on the specified MDM Gateway Server. |
ServerAdministrators |
|||
Stop the VPN service on the specified MDM Gateway Server. |
ServerAdministrators |
|||
Update each MDM Gateway Server by sending configuration and other information from the MDM GCM component of MDM Device Management Server.
|
ServerAdministrators DeviceAdministrators |
|||
Update the RSoP held by the server for a given device. |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |