See Also
System Center Mobile Device Manager (MDM) uses role-based access control. Unlike an authentication system that specifies who a user is, role-based access is an authorization system that specifies what a user is authorized to access and what tasks that person can perform.
The following shows the server infrastructure roles:
- DeviceManagementServers
- EnrollmentServers
- SelfService
Tasks by Infrastructure
Role
The following shows the tasks that each infrastructure role gives users.
DeviceManagementServers
The following shows the tasks that a user who has the DeviceManagementServers role can perform.
| Task | Cmdlet |
|---|---|
|
Add a compromised managed Windows Mobile device to the blocked device table. |
Add-BlockedDevice |
EnrollmentServers
The following shows the tasks that a user who has the EnrollmentServers role can perform.
| Task | Cmdlet |
|---|---|
|
Return information about the current set of managed devices that are blocked. |
Get-BlockedDevice |
SelfService
The following shows the tasks that a user who has the SelfService role can perform.
| Task | Cmdlet |
|---|---|
|
Remove a wipe request for the specified managed Windows Mobile device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
|
Create a new managed device enrollment request. |
New-EnrollmentRequest |
|
Create a new wipe request that deletes all content on the targeted managed device. |
New-WipeRequest |
|
Remove a pending enrollment request for a managed device. |
Remove-EnrollmentRequest |
|
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
|
Return information about devices that MDM manages. |
Get-MDMDevice |
|
Return pending managed device enrollment requests. |
Get-EnrollmentRequest |
|
Return status information for the specified managed device. |
Get-MDMDeviceStatus |
|
Return the unprocessed wipe requests for the specified managed device. |
Get-WipeRequest |
Tasks and Administrator Roles by
Cmdlet
The following shows the tasks that each role can perform.
| Task | Cmdlet | Required Admin Role |
|---|---|---|
|
Add a compromised managed device to the blocked device table. |
Add-BlockedDevice |
DeviceManagementServers |
|
Return information about the current set of managed devices that are blocked. |
Get-BlockedDevice |
EnrollmentServers |
|
Return pending managed device enrollment requests. |
Get-EnrollmentRequest |
SelfService |
|
Return information about managed devices that controls. |
Get-MDMDevice |
SelfService |
|
Return status information for the specified managed device. |
Get-MDMDeviceStatus |
SelfService |
|
Return the unprocessed wipe requests for the specified managed device. |
Get-WipeRequest |
SelfService |
|
Create a new managed device enrollment request. |
New-EnrollmentRequest |
SelfService |
|
Create a new wipe request that deletes all content on the targeted managed device. |
New-WipeRequest |
SelfService |
|
Remove a pending enrollment request for a managed device. |
Remove-EnrollmentRequest |
SelfService |
|
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
SelfService |
|
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
Remove-WipeRequest |
SelfService |