add more granular SimpleMDM User Roles
As the lead client systems engineer at a medium sized global organization I would like to be able to more granularly delegate current aspects of User Roles in SimpleMDM for a variety of reasons.
Example: I want to allow my Service Desk and Audio Visual team members to move devices into and out of groups to control features like Single Application Lock for appliance iPads, without giving them access to modify account level settings or make changes to the group configurations.
v white
shared this idea
AdminSimpleMDM
(--------, SimpleMDM)
responded
Admin configuration permissions are now more granular, allowing for configuration of just profiles, devices, enrollments, or other aspects of SimpleMDM.
This ticket will remain open as some of the requests related to permission scoped to individual devices or device groups.
16 comments
-
David K.
commented
And maybe one extra also for:
Enrollments:
Automated Enrollments (DEP), group and one-time enrollmentsEnrollments sync:
Allow to sync Automated Enrollments DEP (so user will be not able to change settings or create enrollments but will be able to force sync with DEP/ABM) -
David K.
commented
Can we make this divined between two "permisions"?
From:
Allow device actions:
Push assigned apps, media and updates. Wipe, lock, remove passcode, locate, and message devices. Enable and disable lost mode for devices.To:
Allow device actions:
Push assigned apps, media and updatesAllow extra device actions:
Wipe, lock, remove passcode, locate, and message devices. Enable and disable lost mode for devices -
Igor
commented
I would love to see this also , I want to allow my low admins to move from one group to another
-
Adam Engelbrecht
commented
This would be very useful and help keep down some mistakes that have been made within our growing IT group as well. (2 votes)
-
Anonymous
commented
This would be very beneficial feature in a global organization with more complex organizational structure. It would be nice to be able to give i.e. a local helpdesk agent in a country A access to a group of devices only in their country.
-
Michelle Aubrey
commented
This would be very useful for my organization.
-
Anonymous
commented
"Allow configuration changes" is too general. We would like to restrict changes on group settings and only allow our colleagues to change the group of a device, but not the settings of the group.
-
yemartin
commented
(or create a new permission for it)
Right now the set of permissions does not work for our use case, which I believe should be quite common:
1) One set of people (our engineers) creates the various configs, profiles, groups, and define custom attributes. These guys need access to the "Configs", "Apps" and "Devices" sections. On "Devices", they are mostly interested in creating Groups.
2) A separate set of people (IT support staff) deals with actually deploying the devices. These people need only access to the "Devices" tabs. But they needs access not only to the "Device actions", but also to the per-device settings, in particular, custom attributes.
The problem is that now, there is no permission that fits our support staff role: The "Allow device actions" is not enough since this does not allow the setting of per-device custom attributes. But "Allow configuration changes" is too much, as it allows modifying "Configs". This is particularly bad because there is no audit trails of who changed what, and when, so we need to restrict access to modifying Configs.
-
Dan Kuehling
commented
We would need this to enable a particular quirky bit of organization in our relatively small school district. Our special ed department needs to be able to manage (push apps, primarily) their own fleet of iPads, and we as the IT department need to be able to manage the rest of the district's fleet, as well as push down certain common settings like Wi-Fi configuration to all of the devices. Unfortunately we can't trust the special ed department to "stay in their lane" if we gave them admin access to all of the devices.
Sadly, this will likely be a dealbreaker for us on adopting SimpleMDM.
-
Anonymous
commented
This would be super useful for us. While we're one IT team across multiple offices it would be great to be able to delegate access to specific groups e.g. for contractors.
-
Rusty Myers
commented
Provide a mechanism for a large organization to distribute management of devices for departments/campuses/colleges/units. Management policies should be able to be applied at the organizational level as well as the "unit" level. Devices should be able to automatically sort to unit levels based on properties. Admins should be able to manage one or multiple units. VPP accounts should be available for the whole organization and units. DEP should be available for the whole organization and units.
-
AdminSimpleMDM
(--------, SimpleMDM)
commented
Have you considered opening separate SimpleMDM accounts for each of your customers and then granting your user account access to each? This allows you to achieve full account configuration and billing isolation.
-
Anonymous
commented
As an MSP, id like to be able to deploy SimpleMDM from my single account to multiple clients. Under the admin login, see all devices in all groups, set policies, etc. Im looking for the ability to be able to have the client login and view the details of the devices in their particular group, but not see devices I have in other groups for other clients.
-
AdminSimpleMDM
(--------, SimpleMDM)
commented
How do you envision controlling access to shared configurations? For instance, if an admin is limited to managing one group of devices, are they permitted to create or modify profiles related to that group that may be related to other groups as well?
-
Nicolas Grasset
commented
This would be really useful to allow more local admins to control their devices, until then we're limited to only having super-admins who won't be the same people.
-
Eric Jiang
commented
Our org works with other organizations to help them with managing their devices.
We would like to create user accounts that can only manage devices within certain device groups, so that we can give them MDM access to only their devices.