See Also
System Center Mobile Device Manager (MDM) uses role-based access control. Unlike an authentication system that specifies who a user is, role-based access is an authorization system that specifies what a user is authorized to access and what tasks that person can perform.
The following shows the Administrator Roles:
- DeviceAdministrators
- DeviceSupport
- HelpdeskOperator
- ServerAdministrators
Tasks by Administrator
Roles
The following shows the tasks that each administrator role gives users.
DeviceAdministrators
The following shows the tasks that a user who has the DeviceAdministrators role can perform.
| Task | Cmdlet |
|---|---|
|
Remove a wipe request for the specified managed Windows Mobile device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
|
Add a compromised managed Windows Mobile device to the blocked device table. |
Add-BlockedDevice |
|
Configure the properties of the wipe service. |
Set-WipeConfig |
|
Create a new device inventory collection task. |
New-MDMInventoryItem |
|
Create a new managed device enrollment request. |
New-EnrollmentRequest |
|
Create a new wipe request that deletes all content on the targeted managed device. |
New-WipeRequest |
|
Remove a managed device from the Blocked Device Table. |
Remove-BlockedDevice |
|
Remove a pending enrollment request for a managed device. |
Remove-EnrollmentRequest |
|
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
|
Remove operational log entries from the Enrollment service database. |
Remove-EnrollmentServiceLog |
|
Remove the specified device inventory collection task from the task list on the server. |
Remove-MDMInventoryItem |
|
Resume all device inventory collection tasks that were suspended by using the Disable-MDMInventory cmdlet. |
Enable-MDMInventory |
|
Return information about devices that MDM manages. |
Get-MDMDevice |
|
Return information about the current set of managed blocked devices. |
Get-BlockedDevice |
|
Return operational log entries from the Enrollment service database. |
Get-EnrollmentServiceLog |
|
Return pending managed device enrollment requests. |
Get-EnrollmentRequest |
|
Return status information for the specified managed device. |
Get-MDMDeviceStatus |
|
Return the collection of servers in MDM. |
Get-MDMServer |
|
Return the complete set of collected inventory data for the specified managed device. |
Get-MDMDeviceInventory |
|
Return the complete set of transaction information for the specified managed device from the server operations log file. |
Get-MDMDeviceHistory |
|
Return the current configuration of the Enrollment service. |
Get-EnrollmentConfig |
|
Return the current configuration of the Group Policy service. |
Get-MobilePolicyServiceConfig |
|
Return the current configuration of the wipe service. |
Get-WipeConfig |
|
Return the current global device management configuration. |
Get-DeviceManagementConfig |
|
Return the currently active device inventory collection tasks. |
Get-MDMInventoryItem |
|
Return the global virtual private network (VPN) settings shared among all computers that are running MDM Gateway Server. |
Get-MDMGlobalGatewayConfig |
|
Return the unprocessed wipe requests for the specified managed device. |
Get-WipeRequest |
|
Set all device inventory collection settings to their default values. |
Restore-MDMInventoryDefaults |
|
Set the collection frequency for a device inventory collection item. |
Set-MDMInventoryItem |
|
Return the current configuration of MDM software distribution service. |
Get-SoftwareDistributionConfig |
|
Set the configuration of MDM software distribution service. |
Set-SoftwareDistributionConfig |
|
Set the configuration of the Group Policy service. |
Set-MobilePolicyServiceConfig |
|
Set the global device management configuration values. |
Set-DeviceManagementConfig |
|
Suspend all currently active device inventory collection tasks. |
Disable-MDMInventory |
|
Update the current configuration of the Enrollment service by using the provided values. |
Set-EnrollmentConfig |
|
Update the global VPN settings shared among all computers that are running MDM Gateway Server. |
Set-MDMGlobalGatewayConfig |
|
Update the Resultant Set of Policy (RSoP) held by the server for a given device. |
Update-MobilePolicyCalculation |
DeviceSupport
The following shows the tasks that a user who has the DeviceSupport role can perform.
| Task | Cmdlet |
|---|---|
|
Remove a wipe request for the specified managed Windows Mobile device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
|
Add a compromised managed device to the blocked device table. |
Add-BlockedDevice |
|
Create a new managed device enrollment request. |
New-EnrollmentRequest |
|
Create a new wipe request that deletes all content on the targeted managed device. |
New-WipeRequest |
|
Remove a managed device from the Blocked Device Table. |
Remove-BlockedDevice |
|
Remove a pending enrollment request for a managed device. |
Remove-EnrollmentRequest |
|
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
|
Return information about devices that MDM manages. |
Get-MDMDevice |
|
Return information about the current set of managed devices that are blocked |
Get-BlockedDevice |
|
Return operational log entries from the Enrollment service database. |
Get-EnrollmentServiceLog |
|
Return pending managed device enrollment requests. |
Get-EnrollmentRequest |
|
Return status information for the specified managed device. |
Get-MDMDeviceStatus |
|
Return the collection of servers in MDM. |
Get-MDMServer |
|
Return the complete set of collected inventory data for the specified managed device. |
Get-MDMDeviceInventory |
|
Return the complete set of transaction information for the specified managed device from the server operations log file. |
Get-MDMDeviceHistory |
|
Return the current configuration of the Enrollment service. |
Get-EnrollmentConfig |
|
Return the current configuration of the Group Policy service. |
Get-MobilePolicyServiceConfig |
|
Return the current configuration of MDM software distribution service. |
Get-SoftwareDistributionConfig |
|
Return the current configuration of the wipe service. |
Get-WipeConfig |
|
Return the current gateway-specific settings and the last known configuration status. |
Get-MDMGatewayServer |
|
Return the current global device management configuration. |
Get-DeviceManagementConfig |
|
Return the currently active device inventory collection tasks. |
Get-MDMInventoryItem |
|
Return the global VPN settings shared among all computers that are running MDM Gateway Server. |
Get-MDMGlobalGatewayConfig |
|
Return the unprocessed wipe requests for the specified managed device. |
Get-WipeRequest |
|
Update the RSoP held by the server for a given device. |
Update-MobilePolicyCalculation |
HelpdeskOperator
The following shows the tasks that a user who has the HelpDeskOperator role can perform.
| Task | Cmdlet |
|---|---|
|
Create a new managed device enrollment request. |
New-EnrollmentRequest |
|
Remove a pending enrollment request for a managed device. |
Remove-EnrollmentRequest |
|
Return information about devices that MDM manages. |
Get-MDMDevice |
|
Return information about the current set of managed devices that are blocked. |
Get-BlockedDevice |
|
Return operational log entries from the Enrollment service database. |
Get-EnrollmentServiceLog |
|
Return pending managed device enrollment requests. |
Get-EnrollmentRequest |
|
Return status information for the specified managed device. |
Get-MDMDeviceStatus |
|
Return the collection of servers in MDM. |
Get-MDMServer |
|
Return the complete set of collected inventory data for the specified managed device. |
Get-MDMDeviceInventory |
|
Return the complete set of transaction information for the specified managed device from the server operations log file. |
Get-MDMDeviceHistory |
|
Return the current configuration of the Enrollment service. |
Get-EnrollmentConfig |
|
Return the current configuration of the Group Policy service. |
Get-MobilePolicyServiceConfig |
|
Return the current configuration of MDM software distribution service. |
Get-SoftwareDistributionConfig |
|
Return the current configuration of the wipe service. |
Get-WipeConfig |
|
Return the current gateway-specific settings and the last known configuration status. |
Get-MDMGatewayServer |
|
Return the current global device management configuration. |
Get-DeviceManagementConfig |
|
Return the currently active device inventory collection tasks. |
Get-MDMInventoryItem |
|
Return the global VPN settings shared among all computers that are running MDM Gateway Server. |
Get-MDMGlobalGatewayConfig |
|
Return the unprocessed wipe requests for the specified managed device. |
Get-WipeRequest |
|
Update the RSoP held by the server for a given device. |
Update-MobilePolicyCalculation |
ServerAdministrators
The following shows the tasks that a user who has the ServerAdministrators role can perform.
| Task | Cmdlet | ||
|---|---|---|---|
|
Add a new computer that is running MDM Gateway Server to MDM. |
Add-MDMGatewayServer |
||
|
Configure the properties of the wipe service. |
Set-WipeConfig |
||
|
Disable Windows Preprocessor (WPP) logging for one or more components.
|
Disable-MDMTrace |
||
|
Enable WPP logging for one or more components.
|
Enable-MDMTrace |
||
|
Remove MDM Gateway Server and all corresponding properties from MDM. |
Remove-MDMGatewayServer |
||
|
Return information about devices that MDM manages. |
Get-MDMDevice |
||
|
Return information about the current set of managed devices that are blocked. |
Get-BlockedDevice |
||
|
Return operational log entries from the Enrollment service database. |
Get-EnrollmentServiceLog |
||
|
Return pending managed device enrollment requests. |
Get-EnrollmentRequest |
||
|
Return status information for the specified managed device. |
Get-MDMDeviceStatus |
||
|
Return the collection of servers in MDM. |
Get-MDMServer |
||
|
Return the complete set of collected inventory data for the specified managed device. |
Get-MDMDeviceInventory |
||
|
Return the complete set of transaction information for the specified managed device from the server operations log file. |
Get-MDMDeviceHistory |
||
|
Return the current configuration of the Enrollment service. |
Get-EnrollmentConfig |
||
|
Return the current configuration of the Group Policy service. |
Get-MobilePolicyServiceConfig |
||
|
Return the current configuration of the wipe service. |
Get-WipeConfig |
||
|
Return the current gateway-specific settings and the last known configuration status. |
Get-MDMGatewayServer |
||
|
Return the current global device management configuration. |
Get-DeviceManagementConfig |
||
|
Return the currently active device inventory collection tasks. |
Get-MDMInventoryItem |
||
|
Return the global VPN settings shared among all computers that are running MDM Gateway Server. |
Get-MDMGlobalGatewayConfig |
||
|
Return the unprocessed wipe requests for the specified managed device. |
Get-WipeRequest |
||
|
Set the configuration of the Group Policy service. |
Set-MobilePolicyServiceConfig |
||
|
Return the current configuration of MDM software distribution service. |
Get-SoftwareDistributionConfig |
||
|
Set the configuration of MDM software distribution service. |
Set-SoftwareDistributionConfig |
||
|
Set the global device management configuration values. |
Set-DeviceManagementConfig |
||
|
Start the VPN service on the specified MDM Gateway Server. |
Start-MDMVPNService |
||
|
Stop the VPN service on the specified MDM Gateway Server. |
Stop-MDMVPNService |
||
|
Update the current configuration of the Enrollment service by using the provided values. |
Set-EnrollmentConfig |
||
|
Update the current settings for the specified MDM Gateway Server. |
Set-MDMGatewayServer |
||
|
Update the global VPN settings shared among all computers that are running MDM Gateway Server. |
Set-MDMGlobalGatewayConfig |
||
|
Update the RSoP held by the server for a given device. |
Update-MobilePolicyCalculation |
Note:
Tasks and Administrator Roles by
Cmdlet
The following shows the tasks that each role can perform.
| Task | Cmdlet | Required Admin Role |
|---|---|---|
|
Add a compromised managed device to the blocked device table. |
Add-BlockedDevice |
DeviceAdministrators DeviceSupport |
|
Add a new computer that is running MDM Gateway Server to MDM. |
Add-MDMGatewayServer |
ServerAdministrators |
|
Suspend all currently active device inventory collection tasks. |
Disable-MDMInventory |
DeviceAdministrators |
|
Disable WPP logging for one or more components. |
Disable-MDMTrace |
ServerAdministrators or local machine administrators when run from a computer that is running MDM when there are no local administrator privileges. |
|
Resume all device inventory collection tasks that were suspended with the Disable-MDMInventory cmdlet. |
Enable-MDMInventory |
DeviceAdministrators |
|
Enable WPP logging for one or more components. |
Enable-MDMTrace |
ServerAdministrators role, or local machine administrators when run from a computer that is running MDM when there are no local administrator privileges. |
|
Return information about the current set of managed devices that are blocked. |
Get-BlockedDevice |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return the current global device management configuration. |
Get-DeviceManagementConfig |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return the current configuration of the Enrollment service. |
Get-EnrollmentConfig |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return pending managed device enrollment requests. |
Get-EnrollmentRequest |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return operational log entries from the Enrollment service database. |
Get-EnrollmentServiceLog |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return information about managed devices that controls. |
Get-MDMDevice |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return the complete set of transaction information for the specified managed device from the server operations log file. |
Get-MDMDeviceHistory |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return the complete set of collected inventory data for the specified managed device. |
Get-MDMDeviceInventory |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return status information for the specified managed device. |
Get-MDMDeviceStatus |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return the current gateway-specific settings and the last known configuration status. |
Get-MDMGatewayServer |
ServerAdministrators DeviceSupport HelpdeskOperator |
|
Return the global VPN settings shared among all computers that are running MDM Gateway Server. |
Get-MDMGlobalGatewayConfig |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return the currently active device inventory collection tasks. |
Get-MDMInventoryItem |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return the collection of servers in MDM. |
Get-MDMServer |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return the current configuration of the Group Policy service. |
Get-MobilePolicyServiceConfig |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return the current configuration of MDM software distribution service. |
Get-SoftwareDistributionConfig |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return the current configuration of the wipe service. |
Get-WipeConfig |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Return the unprocessed wipe requests for the specified managed device. |
Get-WipeRequest |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Create a new managed device enrollment request. |
New-EnrollmentRequest |
DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Create a new device inventory collection task. |
New-MDMInventoryItem |
DeviceAdministrators |
|
Create a new wipe request that deletes all content on the targeted managed device. |
New-WipeRequest |
DeviceAdministrators DeviceSupport |
|
Remove a managed device from the Blocked Device Table. |
Remove-BlockedDevice |
DeviceAdministrators DeviceSupport |
|
Remove a pending enrollment request for a managed device. |
Remove-EnrollmentRequest |
DeviceAdministrators DeviceSupport HelpdeskOperator |
|
Remove operational log entries from the Enrollment service database. |
Remove-EnrollmentServiceLog |
DeviceAdministrators |
|
Remove MDM Gateway Server and all corresponding properties from MDM. |
Remove-MDMGatewayServer |
ServerAdministrators |
|
Remove the specified device inventory collection task from the task list on the server. |
Remove-MDMInventoryItem |
DeviceAdministrators |
|
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
DeviceAdministrators DeviceSupport |
|
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
DeviceAdministrators DeviceSupport |
|
Set all device inventory collection settings to their default values. |
Restore-MDMInventoryDefaults |
DeviceAdministrators |
|
Set the global device management configuration values. |
Set-DeviceManagementConfig |
ServerAdministrators DeviceAdministrators |
|
Update the current configuration of the Enrollment service by using the provided values. |
Set-EnrollmentConfig |
ServerAdministrators DeviceAdministrators |
|
Update the current settings for the specified MDM Gateway Server. |
Set-MDMGatewayServer |
ServerAdministrators |
|
Update the global VPN settings shared among all computers that are running MDM Gateway Server. |
Set-MDMGlobalGatewayConfig |
ServerAdministrators DeviceAdministrators |
|
Set the collection frequency for a device inventory collection item. |
Set-MDMInventoryItem |
DeviceAdministrators |
|
Set the configuration of the Group Policy service. |
Set-MobilePolicyServiceConfig |
ServerAdministrators DeviceAdministrators |
|
Set the configuration of MDM software distribution service. |
Set-SoftwareDistributionConfig |
ServerAdministrators DeviceAdministrators |
|
Configure the properties of the wipe service. |
Set-WipeConfig |
ServerAdministrators DeviceAdministrators |
|
Start the VPN service on the specified MDM Gateway Server. |
Start-MDMVPNService |
ServerAdministrators |
|
Stop the VPN service on the specified MDM Gateway Server. |
Stop-MDMVPNService |
ServerAdministrators |
|
Update the RSoP held by the server for a given device. |
Update-MobilePolicyCalculation |
ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator |