I suggest you ...

← Suggestions

add more granular SimpleMDM User Roles

As the lead client systems engineer at a medium sized global organization I would like to be able to more granularly delegate current aspects of User Roles in SimpleMDM for a variety of reasons.

Example: I want to allow my Service Desk and Audio Visual team members to move devices into and out of groups to control features like Single Application Lock for appliance iPads, without giving them access to modify account level settings or make changes to the group configurations.

93 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
v white shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
AdminSimpleMDM (--------, SimpleMDM) responded  · 

Admin configuration permissions are now more granular, allowing for configuration of just profiles, devices, enrollments, or other aspects of SimpleMDM.

This ticket will remain open as some of the requests related to permission scoped to individual devices or device groups.

17 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Doug Lewis commented  ·   ·  Flag as inappropriate

    We have multiple sites and would like to enable site managers but we want to restrict them to devices in their site groups only. Say a checkbox where you can enable device groups in the individual site.

  • David K. commented  ·   ·  Flag as inappropriate

    And maybe one extra also for:

    Enrollments:
    Automated Enrollments (DEP), group and one-time enrollments

    Enrollments sync:
    Allow to sync Automated Enrollments DEP (so user will be not able to change settings or create enrollments but will be able to force sync with DEP/ABM)

  • David K. commented  ·   ·  Flag as inappropriate

    Can we make this divined between two "permisions"?

    From:
    Allow device actions:
    Push assigned apps, media and updates. Wipe, lock, remove passcode, locate, and message devices. Enable and disable lost mode for devices.

    To:
    Allow device actions:
    Push assigned apps, media and updates

    Allow extra device actions:
    Wipe, lock, remove passcode, locate, and message devices. Enable and disable lost mode for devices

  • Igor commented  ·   ·  Flag as inappropriate

    I would love to see this also , I want to allow my low admins to move from one group to another

  • Adam Engelbrecht commented  ·   ·  Flag as inappropriate

    This would be very useful and help keep down some mistakes that have been made within our growing IT group as well. (2 votes)

  • Anonymous commented  ·   ·  Flag as inappropriate

    This would be very beneficial feature in a global organization with more complex organizational structure. It would be nice to be able to give i.e. a local helpdesk agent in a country A access to a group of devices only in their country.

  • Anonymous commented  ·   ·  Flag as inappropriate

    "Allow configuration changes" is too general. We would like to restrict changes on group settings and only allow our colleagues to change the group of a device, but not the settings of the group.

  • yemartin commented  ·   ·  Flag as inappropriate

    (or create a new permission for it)

    Right now the set of permissions does not work for our use case, which I believe should be quite common:

    1) One set of people (our engineers) creates the various configs, profiles, groups, and define custom attributes. These guys need access to the "Configs", "Apps" and "Devices" sections. On "Devices", they are mostly interested in creating Groups.

    2) A separate set of people (IT support staff) deals with actually deploying the devices. These people need only access to the "Devices" tabs. But they needs access not only to the "Device actions", but also to the per-device settings, in particular, custom attributes.

    The problem is that now, there is no permission that fits our support staff role: The "Allow device actions" is not enough since this does not allow the setting of per-device custom attributes. But "Allow configuration changes" is too much, as it allows modifying "Configs". This is particularly bad because there is no audit trails of who changed what, and when, so we need to restrict access to modifying Configs.

  • Dan Kuehling commented  ·   ·  Flag as inappropriate

    We would need this to enable a particular quirky bit of organization in our relatively small school district. Our special ed department needs to be able to manage (push apps, primarily) their own fleet of iPads, and we as the IT department need to be able to manage the rest of the district's fleet, as well as push down certain common settings like Wi-Fi configuration to all of the devices. Unfortunately we can't trust the special ed department to "stay in their lane" if we gave them admin access to all of the devices.

    Sadly, this will likely be a dealbreaker for us on adopting SimpleMDM.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This would be super useful for us. While we're one IT team across multiple offices it would be great to be able to delegate access to specific groups e.g. for contractors.

  • Rusty Myers commented  ·   ·  Flag as inappropriate

    Provide a mechanism for a large organization to distribute management of devices for departments/campuses/colleges/units. Management policies should be able to be applied at the organizational level as well as the "unit" level. Devices should be able to automatically sort to unit levels based on properties. Admins should be able to manage one or multiple units. VPP accounts should be available for the whole organization and units. DEP should be available for the whole organization and units.

  • AdminSimpleMDM (--------, SimpleMDM) commented  ·   ·  Flag as inappropriate

    Have you considered opening separate SimpleMDM accounts for each of your customers and then granting your user account access to each? This allows you to achieve full account configuration and billing isolation.

  • Anonymous commented  ·   ·  Flag as inappropriate

    As an MSP, id like to be able to deploy SimpleMDM from my single account to multiple clients. Under the admin login, see all devices in all groups, set policies, etc. Im looking for the ability to be able to have the client login and view the details of the devices in their particular group, but not see devices I have in other groups for other clients.

  • AdminSimpleMDM (--------, SimpleMDM) commented  ·   ·  Flag as inappropriate

    How do you envision controlling access to shared configurations? For instance, if an admin is limited to managing one group of devices, are they permitted to create or modify profiles related to that group that may be related to other groups as well?

  • Nicolas Grasset commented  ·   ·  Flag as inappropriate

    This would be really useful to allow more local admins to control their devices, until then we're limited to only having super-admins who won't be the same people.

  • Eric Jiang commented  ·   ·  Flag as inappropriate

    Our org works with other organizations to help them with managing their devices.

    We would like to create user accounts that can only manage devices within certain device groups, so that we can give them MDM access to only their devices.

Suggestions

Categories

Feedback and Knowledge Base

(thinking…)