More granularity for the "Device Actions" permission would be appreciated.

For example, if I'd like to have multiple tiered helpdesk roles, I'd like a Tier 1 user to be able to refresh inventory, or push assigned apps, but not be able to lock or wipe the device.

Also, since we do not have on-prem Macs there isn't much use for the Remote Desktop features, so I'd like to be able to hide those to avoid any confusion or misuse.

more granular user roles with device group access permissions to internal departments would be very useful in our organization.

I would be nice to be able to delegate access to only specific groups of devices via the roles feature. For example, we may want a staff member in department 'A' to be able to place department 'A' iPads in lost mode but would not want that person to be able to take action on devices in another department.

I would like to see the option where I could not only grant access to a particular group, but also give them permissions to change the SimpleMDM name. Our use case would be to have an Office Manager update the names as users change devices - essentially keeping up with inventory.

We have multiple sites and would like to enable site managers but we want to restrict them to devices in their site groups only. Say a checkbox where you can enable device groups in the individual site.

As we grow in the number of devices we have a need to delegate device actions for specific groups. Can we have an option to restrict a specific role to one (or more groups)?

This would allow department heads to manage their own devices but not manage the devices of middle management or higher.

And maybe one extra also for:

Enrollments:
Automated Enrollments (DEP), group and one-time enrollments

Enrollments sync:
Allow to sync Automated Enrollments DEP (so user will be not able to change settings or create enrollments but will be able to force sync with DEP/ABM)

Can we make this divined between two "permisions"?

From:
Allow device actions:
Push assigned apps, media and updates. Wipe, lock, remove passcode, locate, and message devices. Enable and disable lost mode for devices.

To:
Allow device actions:
Push assigned apps, media and updates

Allow extra device actions:
Wipe, lock, remove passcode, locate, and message devices. Enable and disable lost mode for devices

I would love to see this also , I want to allow my low admins to move from one group to another

This would be very useful and help keep down some mistakes that have been made within our growing IT group as well. (2 votes)

This would be very beneficial feature in a global organization with more complex organizational structure. It would be nice to be able to give i.e. a local helpdesk agent in a country A access to a group of devices only in their country.

This would be very useful for my organization.

"Allow configuration changes" is too general. We would like to restrict changes on group settings and only allow our colleagues to change the group of a device, but not the settings of the group.

(or create a new permission for it)

Right now the set of permissions does not work for our use case, which I believe should be quite common:

1) One set of people (our engineers) creates the various configs, profiles, groups, and define custom attributes. These guys need access to the "Configs", "Apps" and "Devices" sections. On "Devices", they are mostly interested in creating Groups.

2) A separate set of people (IT support staff) deals with actually deploying the devices. These people need only access to the "Devices" tabs. But they needs access not only to the "Device actions", but also to the per-device settings, in particular, custom attributes.

The problem is that now, there is no permission that fits our support staff role: The "Allow device actions" is not enough since this does not allow the setting of per-device custom attributes. But "Allow configuration changes" is too much, as it allows modifying "Configs". This is particularly bad because there is no audit trails of who changed what, and when, so we need to restrict access to modifying Configs.

We would need this to enable a particular quirky bit of organization in our relatively small school district. Our special ed department needs to be able to manage (push apps, primarily) their own fleet of iPads, and we as the IT department need to be able to manage the rest of the district's fleet, as well as push down certain common settings like Wi-Fi configuration to all of the devices. Unfortunately we can't trust the special ed department to "stay in their lane" if we gave them admin access to all of the devices.

Sadly, this will likely be a dealbreaker for us on adopting SimpleMDM.

This would be super useful for us. While we're one IT team across multiple offices it would be great to be able to delegate access to specific groups e.g. for contractors.

Provide a mechanism for a large organization to distribute management of devices for departments/campuses/colleges/units. Management policies should be able to be applied at the organizational level as well as the "unit" level. Devices should be able to automatically sort to unit levels based on properties. Admins should be able to manage one or multiple units. VPP accounts should be available for the whole organization and units. DEP should be available for the whole organization and units.

Have you considered opening separate SimpleMDM accounts for each of your customers and then granting your user account access to each? This allows you to achieve full account configuration and billing isolation.

As an MSP, id like to be able to deploy SimpleMDM from my single account to multiple clients. Under the admin login, see all devices in all groups, set policies, etc. Im looking for the ability to be able to have the client login and view the details of the devices in their particular group, but not see devices I have in other groups for other clients.

How do you envision controlling access to shared configurations? For instance, if an admin is limited to managing one group of devices, are they permitted to create or modify profiles related to that group that may be related to other groups as well?