Role-Based Device Access and User Management
As an administrator, many a time you would have felt mundane routines spill over crucial attention-seeking jobs of your network. Mobile Device Manager Plus allows the administrator to designate various roles with certain privileges to other technicians through its User & Role-Based Device Management modules.
Role-Based Device Access (RBDA)
Some of the most commonly used roles are specified under Pre-defined roles. However, you also have the flexibility to define roles that best suit your requirements under the User-defined roles and grant appropriate permissions. Here's a brief on the Pre-defined and User-defined roles respectively:
You can tailor-make any number of roles, using Mobile Device Manager Plus and give them permissions of your choice based on your personalized needs. These customized roles fall under the User-defined category. Using this the administrator can provide access to only the required modules to the technicians. Thus, define the scope of management by providing access only to particular groups and devices. For example, an organization has offices in different locations, the admin can allow the technicians to view and manage devices only in their respective locations.
For a better understanding let us quickly see how to create a User-defined role in the following section. Follow the steps mentioned below to create a new User-defined role:
- On the web console, select the Admin tab and click User Administration. This opens the User Administration page.
- Select the Role tab and click the Add Role button.
- Specify the Role Name and a small description about it.
- You can define the module-wise permission level for the role in the Select Control Section.
The permission levels are broadly classified into:
Full Control - To perform all operations like an administrator, for the specific module
Read - To only view the details in that module
Write - To perform actions like association and distribution in that module. No permission to create or modify any settings in the module.
No Access - To hide the module from the user.
- Click Add button.
You have successfully created a new role.
- The role you have just created will now be available in the roles list of the User Administration module under the Admin tab. Role deletion cannot be performed if that role is associated even with a single user. However, you can modify the permission levels for all User-defined roles.
- Only Administrators will have permission to modify the user details, create or delete a user.
You will find the following roles in the Pre-defined category:
The Administrator role signifies the Super Admin who exercises full control, on all modules. The operations that are listed under the Admin tab include:
- Add new users and create new roles.
- Changing mail server settings.
- Changing proxy settings.
- Personalizing options like changing themes, setting session expiry, etc.
- Viewing Actions Logs of Mobile Device Manager Plus.
- Backup the database.
- Has full control permission for the Inventory module.
- Has full control for the Reports module.
- Has full control for the Profiles module.
- Has full control on the Apps module.
Making changes to this role is strictly prohibited.
The Technician role has a well-defined set of permissions to do specific operations. Users under the Technician role are restricted from performing all the operations listed under the Admin tab. The technician is also restricted from using MDM settings.
The operations that can be performed by users associated with the Technician role include:
- Can perform Scan operations.
- Has Write permission for the following, Inventory, Reports, Profiles and Apps in Mobile Device Management.
Separate role to manage Groups:
MDM allows technicians to execute certain actions for Groups. The technician can be allowed to access the different Group(s) on the server, by adding, modifying or deleting groups, based on the organization's need.
- Other roles that have full access to the App management, profile management, content management, OS update management, remote control and announcement options, will have access to Groups as well.
- Admins with Write roles for App Management, Profile Management and Content Management are automatically granted 'Read' access to groups.
- Admins with Write roles for Enrollment are automatically granted Write access to groups.
Points to note
The Guest role retains the Read-Only permission to all modules-for viewing, MDM inventory details, reports, profiles and Apps of the mobile devices. A user who is associated with the Guest role will have the privileges to scan and view IT asset information. Making changes to this role is strictly prohibited.
The Auditor role is specially crafted for Auditing Purposes. This role will help you grant permissions to auditors view the details of software inventory, check for license compliance, etc.
IT Asset Manager:
The IT Asset Manager has complete access to the Asset Management module. IT Asset Manager can view the Inventory details of all the Mobile Devices. All the other features are inaccessible.
To know the module specific access privileges for user-defined roles, refer here.
Creating a User and Associating a Role
You can associate a user with a role while creating a new user. To create a user follow the steps mentioned below:
- Log into Mobile Device Manager Plus client as an Administrator
- Click User Administration link available under the Global Settings category
- Specify the Authentication Type as Active Directory/Azure Authentication or Local Authentication
- Specify a Username, Password, and Confirm the password
- Specify the Role from the drop-down. You can see find all the pre-defined roles, and the roles that you have created will be listed here
- Specify the Email address and the Phone number of the user, this is optional.
If you want to provide different levels of control over different Groups of devices, follow the steps given below:
- Under Scope of Management, choose Selected Group(s) for Devices to be managed.
- Specify the Groups to which selected user should have the above mentioned control.
- Click Add User to add the user with selected role.
You have successfully created a user and associated a role to the user.
When you opt to authenticate a user via Active Directory/Azure, the user should have privileges to log into the domain from the computer where Mobile Device Manager Plus Server is installed.
In addition to providing a passcode policy, you can also secure access to MDM server by configuring Two-Factor Authentication(TFA) as well. TFA provides an additional layer of authentication, before access to MDM server. MDM provides you with two methods for authentication:
On providing the password, a verification code is sent to the E-mail address provided by the user previously. You can add the E-mail address by navigating to Admin -> User Administration and selecting the User tab. Click on the ellipsis icon under Action, against the user whose e-mail address is to be added. Click on Modify and provide the E-mail address. Once done, click on Modify to save the changes
You need to have the Google Authenticator app(iOS / Android) installed for this authentication. On providing the passcode first time after the policy has been applied, you will be shown instructions on-screen for authentication using Google Authenticator. You need to either scan the given QR using Google Authenticator or add the given key manually. Once done, Google Authenticator periodically generates verification codes, which is to be used for authentication.
You can configure TFA as explained below:
- On the MDM server, click on Admin tab from the top menu and select User Administration, present under Global Settings.
- Click on Secure Authentication and select the Two-Factor Authentication tab.
- To configure TFA, firstly you need to enable it and then select whether the authentication mode is E-mail or Google Authenticator. You can also allow browsers to remember the verification code for the specified number of days during which the user will not be prompted for the verification code, if provided previously.
- Once done, click on Save to apply the policy.
- If you are facing issues with authentication using Google Authenticator,
- In the case of iPhone, go to Settings -> General -> Date and Time and enable Turn on automatically.
- In the case of Android devices, open Google Authenticator app, click on Settings and select Time correction for codes. Click on Sync now.
Password Policy for users
It is always recommended to have the password policy for logging to MDM server, as it prevents unauthorized logins. password policy defines various parameters such as password complexity, password length to ensure users provide a b password, according to the security standards of the organization. You can configure a password policy as explained below:
- On the MDM server, click on Admin tab from the top menu and select User Administration, present under Global Settings.
- Click on Secure Authentication and select the Password Policy tab.
- Configure the policy, based on the policy description given below:
|Password Type||Specify the complexity of the login password. If the option Complex is selected the login password must contain one special character, one upper case, and one lower case character.|
|Minimum Password Length||Specify the minimum number of characters, the login password should contain.|
|Number of passwords to be maintained in history||Specify the number of old passcodes which cannot be utilized by the user while changing the password. For example, if you set it as 4, the users cannot use the last 4 passwords used previously|
|Lock user account, if it exceeds the maximum login attempts specified||Specify whether the user should be restricted from logging in, on exceeding the maximum number of invalid login attempts|
|The Number of invalid login attempts allowed||Specify the number of failed attempts beyond which the user cannot log in until the lockout duration has elapsed or if the admin unlocks the account, by modifying the lockout duration|
|Lockout duration||Specify the time span during which the user cannot log in to the MDM server, on exceeding the maximum number of invalid login attempts|
Once you have configured the policy, click on Save to apply the policy.
Modifying User details
Mobile Device Manager Plus offers the flexibility to modify the role of users, to best suit your changing requirements. You can do operations like Changing the user role and resetting user password at any point of time you feel you should.
Active session details and session termination
There are certain scenarios, where you might want to know the number of active sessions, the number of sessions from a particular IP/location etc., MDM lets you obtain all this information in addition to terminating all other active sessions.
To know the login session details of a particular user,
- On the MDM server, navigate to the b>Admin tab and select User Administration (present under Global Settings).
- Click on the ellipsis icon under Actions present against the user, who is to be deleted. Select the option Logon details, to know
- If the user has a current active session
- IP/Locations from which the user has logged in
- Duration of sessions
- Details regarding when the session was initiated and terminated
To know other details, click on the user icon present at the top right of your server and from the drop-down, you will know the number of current active sessions. Click on it, to know the last 10 logon activities as well as to terminate other active sessions.
Deleting a user
At times when you find a user's contribution obsolete, you can go ahead and delete the user from the user list. Follow the below-given steps to remove a user:
- On the MDM server, navigate to Admin tab and select User Administration (present under Global Settings).
- Click on the ellipsis icon under Actions present against the user, who is to be deleted. Select the option Delete User and confirm to proceed with the user deletion.