Together with some customers of mine we are testing and implementing Microsoft Intune connected with Configuration Manager 2012 R2 (hybrid scenario). Regardless of the fact the Configuration Manager 2012 R2 is managed by the Configuration Manager admins they want to be able to give certain employees (admins) of their company only permissions to manage only the mobile devices and configuring and deploying settings and profiles for those devices. To be able to do this we need to use the Role Based Administration feature in Configuration Manager, we would be able to use some of the default roles but I created a couple that combine everything we need.
First of all I created the role Mobile Device Management Manager, creating a role like this gives also challenges since some objects and permissions are not configurable in the roles. So to be able to configure things like the Exchange Connector or the Microsoft Intune Connector (with the Extensions for Microsoft Intune) you need to be at least member of the Infrastructure Administrator role. For this I filed a DCR (design change request) at Microsoft because as an Infrastructure Administrator you are able to install or configure site roles, a bit too much if you ask me.
So back to the Mobile Device Management Manager role, this role allows you to do the following;
- Create, modify and delete Configuration Items
- Create, modify, delete and deploy Configuration Baselines
- Create, modify, delete and deploy Applications
- Distribute content to distribution points
- Create, modify, delete and deploy Company Resource Access:
- Certificate profiles
- Email Profiles
- VPN Profiles
- Wi-Fi Profiles
- Create, modify, delete and deploy Compliance policies
- Report / monitor status of deployments
- Report / monitor status of mobile device clients
Download the Mobile Device Management Manager role here.
So next I want to have two roles where security and application management are separated responsibilities.
The Mobile Device Management Security Manager role is allowed to do the following:
- Create, modify, delete Configuration Items
- Create, modify, delete and deploy Configuration Baselines
- Create, modify, delete and deploy Company Resource Access:
- Certificate profiles
- Email Profiles
- VPN Profiles
- Wi-Fi Profiles
- Create, modify, delete and deploy Compliance policies
- Report / monitor status of deployments
- Report / monitor status of mobile device clients
Download the Mobile Device Management Security Manager role here.
The Mobile Device Management Application Manager role is allowed to do the following:
- Create, modify and delete Configuration Items
- Create, modify, delete and deploy Configuration Baselines
- Create, modify, delete and deploy Applications
- Distribute content to distribution points
- Create, modify, delete and deploy Compliance policies
- Report / monitor status of deployments
The Mobile Device Management Application Manager is also able to configure and deploy settings for a mobile device that may be a prerequisite to allow an application to be installed. For instance you may want to be sure that File encryption on mobile device is enabled for a collection of device where you also install an application to. Of course MAM settings in Configuration Manager like currently in Microsoft Intune standalone can be expected link mentioned here in the comments.
Download the Mobile Device Management Application Manager role here.
After importing the new roles we need to make sure that the MDM managers only see what they are allowed to see. The Security Scopes will be a great help 🙂 More on this in a later blog because there are some issues we may come across.
Please let me know what you think and if you miss something that needs to be added!