Server Administrator Roles in MDM

10/3/2008

System Center Mobile Device Manager (MDM) uses role-based access control. Unlike an authentication system that specifies who a user is, role-based access is an authorization system that specifies what a user is authorized to access and what tasks that person can perform.

The following shows the Administrator Roles:

  • DeviceAdministrators
  • DeviceSupport
  • HelpdeskOperator
  • ServerAdministrators

Tasks by Administrator Roles

The following shows the tasks that each administrator role gives users.

DeviceAdministrators

The following shows the tasks that a user who has the DeviceAdministrators role can perform.

Task Cmdlet

Remove a wipe request for the specified managed Windows Mobile powered device if the wipe request is yet unprocessed.

Remove-WipeRequest

Add a compromised managed Windows Mobile powered device to the blocked device table.

Add-BlockedDevice

Configure the properties of the wipe service.

Set-WipeConfig

Create a new device inventory collection task.

New-MDMInventoryItem

Create a new managed device enrollment request.

New-EnrollmentRequest

Create a new wipe request that deletes all content on the targeted managed device.

New-WipeRequest

Remove a managed device from the Blocked Device Table.

Remove-BlockedDevice

Remove a pending enrollment request for a managed device.

Remove-EnrollmentRequest

Remove a wipe request for the specified managed device if the wipe request is yet unprocessed.

Remove-WipeRequest

Remove operational log entries from the Enrollment service database.

Remove-EnrollmentServiceLog

Remove the specified device inventory collection task from the task list on the server.

Remove-MDMInventoryItem

Resume all device inventory collection tasks that were suspended by using the Disable-MDMInventory cmdlet.

Enable-MDMInventory

Return information about devices that MDM manages.

Get-MDMDevice

Return information about the current set of managed blocked devices.

Get-BlockedDevice

Return operational log entries from the Enrollment service database.

Get-EnrollmentServiceLog

Return pending managed device enrollment requests.

Get-EnrollmentRequest

Return status information for the specified managed device.

Get-MDMDeviceStatus

Return the collection of servers in MDM.

Get-MDMServer

Return the complete set of collected inventory data for the specified managed device.

Get-MDMDeviceInventory

Return the complete set of transaction information for the specified managed device from the server operations log file.

Get-MDMDeviceHistory

Return the current configuration of the Enrollment service.

Get-EnrollmentConfig

Return the current configuration of the Group Policy service.

Get-MobilePolicyServiceConfig

Return the current configuration of the wipe service.

Get-WipeConfig

Return the current global device management configuration.

Get-DeviceManagementConfig

Return the currently active device inventory collection tasks.

Get-MDMInventoryItem

Return the global virtual private network (VPN) settings shared among all computers that are running MDM Gateway Server.

Get-MDMGlobalGatewayConfig

Return the unprocessed wipe requests for the specified managed device.

Get-WipeRequest

Set all device inventory collection settings to their default values.

Restore-MDMInventoryDefaults

Set the collection frequency for a device inventory collection item.

Set-MDMInventoryItem

Return the current configuration of MDM software distribution service.

Get-SoftwareDistributionConfig

Set the configuration of MDM software distribution service.

Set-SoftwareDistributionConfig

Set the configuration of the Group Policy service.

Set-MobilePolicyServiceConfig

Set the global device management configuration values.

Set-DeviceManagementConfig

Suspend all currently active device inventory collection tasks.

Disable-MDMInventory

Update the current configuration of the Enrollment service by using the provided values.

Set-EnrollmentConfig

Update the global VPN settings shared among all computers that are running MDM Gateway Server.

Set-MDMGlobalGatewayConfig

Update the Resultant Set of Policy (RSoP) held by the server for a given device.

Update-MobilePolicyCalculation

DeviceSupport

The following shows the tasks that a user who has the DeviceSupport role can perform.

Task Cmdlet

Remove a wipe request for the specified managed Windows Mobile powered device if the wipe request is yet unprocessed.

Remove-WipeRequest

Add a compromised managed device to the blocked device table.

Add-BlockedDevice

Create a new managed device enrollment request.

New-EnrollmentRequest

Create a new wipe request that deletes all content on the targeted managed device.

New-WipeRequest

Remove a managed device from the Blocked Device Table.

Remove-BlockedDevice

Remove a pending enrollment request for a managed device.

Remove-EnrollmentRequest

Remove a wipe request for the specified managed device if the wipe request is yet unprocessed.

Remove-WipeRequest

Return information about devices that MDM manages.

Get-MDMDevice

Return information about the current set of managed devices that are blocked

Get-BlockedDevice

Return operational log entries from the Enrollment service database.

Get-EnrollmentServiceLog

Return pending managed device enrollment requests.

Get-EnrollmentRequest

Return status information for the specified managed device.

Get-MDMDeviceStatus

Return the collection of servers in MDM.

Get-MDMServer

Return the complete set of collected inventory data for the specified managed device.

Get-MDMDeviceInventory

Return the complete set of transaction information for the specified managed device from the server operations log file.

Get-MDMDeviceHistory

Return the current configuration of the Enrollment service.

Get-EnrollmentConfig

Return the current configuration of the Group Policy service.

Get-MobilePolicyServiceConfig

Return the current configuration of MDM software distribution service.

Get-SoftwareDistributionConfig

Return the current configuration of the wipe service.

Get-WipeConfig

Return the current gateway-specific settings and the last known configuration status.

Get-MDMGatewayServer

Return the current global device management configuration.

Get-DeviceManagementConfig

Return the currently active device inventory collection tasks.

Get-MDMInventoryItem

Return the global VPN settings shared among all computers that are running MDM Gateway Server.

Get-MDMGlobalGatewayConfig

Return the unprocessed wipe requests for the specified managed device.

Get-WipeRequest

Update the RSoP held by the server for a given device.

Update-MobilePolicyCalculation

HelpdeskOperator

The following shows the tasks that a user who has the HelpDeskOperator role can perform.

Task Cmdlet

Create a new managed device enrollment request.

New-EnrollmentRequest

Remove a pending enrollment request for a managed device.

Remove-EnrollmentRequest

Return information about devices that MDM manages.

Get-MDMDevice

Return information about the current set of managed devices that are blocked.

Get-BlockedDevice

Return operational log entries from the Enrollment service database.

Get-EnrollmentServiceLog

Return pending managed device enrollment requests.

Get-EnrollmentRequest

Return status information for the specified managed device.

Get-MDMDeviceStatus

Return the collection of servers in MDM.

Get-MDMServer

Return the complete set of collected inventory data for the specified managed device.

Get-MDMDeviceInventory

Return the complete set of transaction information for the specified managed device from the server operations log file.

Get-MDMDeviceHistory

Return the current configuration of the Enrollment service.

Get-EnrollmentConfig

Return the current configuration of the Group Policy service.

Get-MobilePolicyServiceConfig

Return the current configuration of MDM software distribution service.

Get-SoftwareDistributionConfig

Return the current configuration of the wipe service.

Get-WipeConfig

Return the current gateway-specific settings and the last known configuration status.

Get-MDMGatewayServer

Return the current global device management configuration.

Get-DeviceManagementConfig

Return the currently active device inventory collection tasks.

Get-MDMInventoryItem

Return the global VPN settings shared among all computers that are running MDM Gateway Server.

Get-MDMGlobalGatewayConfig

Return the unprocessed wipe requests for the specified managed device.

Get-WipeRequest

Update the RSoP held by the server for a given device.

Update-MobilePolicyCalculation

ServerAdministrators

The following shows the tasks that a user who has the ServerAdministrators role can perform.

Task Cmdlet

Add a new computer that is running MDM Gateway Server to MDM.

Add-MDMGatewayServer

Configure the properties of the wipe service.

Set-WipeConfig

Disable Windows Preprocessor (WPP) logging for one or more components.

Cc135605.note(en-us,TechNet.10).gifNote:
A user who has local administrator privileges can perform this task locally on the server. A user who has the ServerAdministrators role can use the cmdlet with the appropriate parameters to perform this task remotely, or on the local server, without requiring local administrative credentials.

Disable-MDMTrace

Enable WPP logging for one or more components.

Cc135605.note(en-us,TechNet.10).gifNote:
A user who has local administrator privileges can perform this task locally on the server. A user who has the ServerAdministrators role can use the cmdlet with the appropriate parameters to perform this task remotely, or on the local server, without requiring local administrative credentials.

Enable-MDMTrace

Remove MDM Gateway Server and all corresponding properties from MDM.

Remove-MDMGatewayServer

Return information about devices that MDM manages.

Get-MDMDevice

Return information about the current set of managed devices that are blocked.

Get-BlockedDevice

Return operational log entries from the Enrollment service database.

Get-EnrollmentServiceLog

Return pending managed device enrollment requests.

Get-EnrollmentRequest

Return status information for the specified managed device.

Get-MDMDeviceStatus

Return the collection of servers in MDM.

Get-MDMServer

Return the complete set of collected inventory data for the specified managed device.

Get-MDMDeviceInventory

Return the complete set of transaction information for the specified managed device from the server operations log file.

Get-MDMDeviceHistory

Return the current configuration of the Enrollment service.

Get-EnrollmentConfig

Return the current configuration of the Group Policy service.

Get-MobilePolicyServiceConfig

Return the current configuration of the wipe service.

Get-WipeConfig

Return the current gateway-specific settings and the last known configuration status.

Get-MDMGatewayServer

Return the current global device management configuration.

Get-DeviceManagementConfig

Return the currently active device inventory collection tasks.

Get-MDMInventoryItem

Return the global VPN settings shared among all computers that are running MDM Gateway Server.

Get-MDMGlobalGatewayConfig

Return the unprocessed wipe requests for the specified managed device.

Get-WipeRequest

Set the configuration of the Group Policy service.

Set-MobilePolicyServiceConfig

Return the current configuration of MDM software distribution service.

Get-SoftwareDistributionConfig

Set the configuration of MDM software distribution service.

Set-SoftwareDistributionConfig

Set the global device management configuration values.

Set-DeviceManagementConfig

Start the VPN service on the specified MDM Gateway Server.

Start-MDMVPNService

Stop the VPN service on the specified MDM Gateway Server.

Stop-MDMVPNService

Update the current configuration of the Enrollment service by using the provided values.

Set-EnrollmentConfig

Update the current settings for the specified MDM Gateway Server.

Set-MDMGatewayServer

Update the global VPN settings shared among all computers that are running MDM Gateway Server.

Set-MDMGlobalGatewayConfig

Update the RSoP held by the server for a given device.

Update-MobilePolicyCalculation

Tasks and Administrator Roles by Cmdlet

The following shows the tasks that each role can perform.

Task Cmdlet Required Admin Role

Add a compromised managed device to the blocked device table.

Add-BlockedDevice

DeviceAdministrators

DeviceSupport

Add a new computer that is running MDM Gateway Server to MDM.

Add-MDMGatewayServer

ServerAdministrators

Suspend all currently active device inventory collection tasks.

Disable-MDMInventory

DeviceAdministrators

Disable WPP logging for one or more components.

Disable-MDMTrace

ServerAdministrators or local machine administrators when run from a computer that is running MDM when there are no local administrator privileges.

Resume all device inventory collection tasks that were suspended with the Disable-MDMInventory cmdlet.

Enable-MDMInventory

DeviceAdministrators

Enable WPP logging for one or more components.

Enable-MDMTrace

ServerAdministrators role, or local machine administrators when run from a computer that is running MDM when there are no local administrator privileges.

Return information about the current set of managed devices that are blocked.

Get-BlockedDevice

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return the current global device management configuration.

Get-DeviceManagementConfig

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return the current configuration of the Enrollment service.

Get-EnrollmentConfig

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return pending managed device enrollment requests.

Get-EnrollmentRequest

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return operational log entries from the Enrollment service database.

Get-EnrollmentServiceLog

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return information about managed devices that controls.

Get-MDMDevice

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return the complete set of transaction information for the specified managed device from the server operations log file.

Get-MDMDeviceHistory

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return the complete set of collected inventory data for the specified managed device.

Get-MDMDeviceInventory

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return status information for the specified managed device.

Get-MDMDeviceStatus

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return the current gateway-specific settings and the last known configuration status.

Get-MDMGatewayServer

ServerAdministrators

DeviceSupport

HelpdeskOperator

Return the global VPN settings shared among all computers that are running MDM Gateway Server.

Get-MDMGlobalGatewayConfig

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return the currently active device inventory collection tasks.

Get-MDMInventoryItem

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return the collection of servers in MDM.

Get-MDMServer

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return the current configuration of the Group Policy service.

Get-MobilePolicyServiceConfig

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return the current configuration of MDM software distribution service.

Get-SoftwareDistributionConfig

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return the current configuration of the wipe service.

Get-WipeConfig

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Return the unprocessed wipe requests for the specified managed device.

Get-WipeRequest

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Create a new managed device enrollment request.

New-EnrollmentRequest

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Create a new device inventory collection task.

New-MDMInventoryItem

DeviceAdministrators

Create a new wipe request that deletes all content on the targeted managed device.

New-WipeRequest

DeviceAdministrators

DeviceSupport

Remove a managed device from the Blocked Device Table.

Remove-BlockedDevice

DeviceAdministrators

DeviceSupport

Remove a pending enrollment request for a managed device.

Remove-EnrollmentRequest

DeviceAdministrators

DeviceSupport

HelpdeskOperator

Remove operational log entries from the Enrollment service database.

Remove-EnrollmentServiceLog

DeviceAdministrators

Remove MDM Gateway Server and all corresponding properties from MDM.

Remove-MDMGatewayServer

ServerAdministrators

Remove the specified device inventory collection task from the task list on the server.

Remove-MDMInventoryItem

DeviceAdministrators

Remove a wipe request for the specified managed device if the wipe request is yet unprocessed.

Remove-WipeRequest

DeviceAdministrators

DeviceSupport

Remove a wipe request for the specified managed device if the wipe request is yet unprocessed.

Remove-WipeRequest

DeviceAdministrators

DeviceSupport

Set all device inventory collection settings to their default values.

Restore-MDMInventoryDefaults

DeviceAdministrators

Set the global device management configuration values.

Set-DeviceManagementConfig

ServerAdministrators

DeviceAdministrators

Update the current configuration of the Enrollment service by using the provided values.

Set-EnrollmentConfig

ServerAdministrators

DeviceAdministrators

Update the current settings for the specified MDM Gateway Server.

Set-MDMGatewayServer

ServerAdministrators

Update the global VPN settings shared among all computers that are running MDM Gateway Server.

Set-MDMGlobalGatewayConfig

ServerAdministrators

DeviceAdministrators

Set the collection frequency for a device inventory collection item.

Set-MDMInventoryItem

DeviceAdministrators

Set the configuration of the Group Policy service.

Set-MobilePolicyServiceConfig

ServerAdministrators

DeviceAdministrators

Set the configuration of MDM software distribution service.

Set-SoftwareDistributionConfig

ServerAdministrators

DeviceAdministrators

Configure the properties of the wipe service.

Set-WipeConfig

ServerAdministrators

DeviceAdministrators

Start the VPN service on the specified MDM Gateway Server.

Start-MDMVPNService

ServerAdministrators

Stop the VPN service on the specified MDM Gateway Server.

Stop-MDMVPNService

ServerAdministrators

Update the RSoP held by the server for a given device.

Update-MobilePolicyCalculation

ServerAdministrators

DeviceAdministrators

DeviceSupport

HelpdeskOperator

See Also

Reference

Server Infrastructure Roles in MDM