Server Administrator Roles in MDM

Collapse All

10/3/2008

System Center Mobile Device Manager (MDM) uses role-based access control. Unlike an authentication system that specifies who a user is, role-based access is an authorization system that specifies what a user is authorized to access and what tasks that person can perform.

The following shows the Administrator Roles:

DeviceAdministrators
DeviceSupport
HelpdeskOperator
ServerAdministrators

Tasks by Administrator Roles

The following shows the tasks that each administrator role gives users.

DeviceAdministrators

The following shows the tasks that a user who has the DeviceAdministrators role can perform.

Task	Cmdlet
Remove a wipe request for the specified managed Windows Mobile powered device if the wipe request is yet unprocessed.	Remove-WipeRequest
Add a compromised managed Windows Mobile powered device to the blocked device table.	Add-BlockedDevice
Configure the properties of the wipe service.	Set-WipeConfig
Create a new device inventory collection task.	New-MDMInventoryItem
Create a new managed device enrollment request.	New-EnrollmentRequest
Create a new wipe request that deletes all content on the targeted managed device.	New-WipeRequest
Remove a managed device from the Blocked Device Table.	Remove-BlockedDevice
Remove a pending enrollment request for a managed device.	Remove-EnrollmentRequest
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed.	Remove-WipeRequest
Remove operational log entries from the Enrollment service database.	Remove-EnrollmentServiceLog
Remove the specified device inventory collection task from the task list on the server.	Remove-MDMInventoryItem
Resume all device inventory collection tasks that were suspended by using the Disable-MDMInventory cmdlet.	Enable-MDMInventory
Return information about devices that MDM manages.	Get-MDMDevice
Return information about the current set of managed blocked devices.	Get-BlockedDevice
Return operational log entries from the Enrollment service database.	Get-EnrollmentServiceLog
Return pending managed device enrollment requests.	Get-EnrollmentRequest
Return status information for the specified managed device.	Get-MDMDeviceStatus
Return the collection of servers in MDM.	Get-MDMServer
Return the complete set of collected inventory data for the specified managed device.	Get-MDMDeviceInventory
Return the complete set of transaction information for the specified managed device from the server operations log file.	Get-MDMDeviceHistory
Return the current configuration of the Enrollment service.	Get-EnrollmentConfig
Return the current configuration of the Group Policy service.	Get-MobilePolicyServiceConfig
Return the current configuration of the wipe service.	Get-WipeConfig
Return the current global device management configuration.	Get-DeviceManagementConfig
Return the currently active device inventory collection tasks.	Get-MDMInventoryItem
Return the global virtual private network (VPN) settings shared among all computers that are running MDM Gateway Server.	Get-MDMGlobalGatewayConfig
Return the unprocessed wipe requests for the specified managed device.	Get-WipeRequest
Set all device inventory collection settings to their default values.	Restore-MDMInventoryDefaults
Set the collection frequency for a device inventory collection item.	Set-MDMInventoryItem
Return the current configuration of MDM software distribution service.	Get-SoftwareDistributionConfig
Set the configuration of MDM software distribution service.	Set-SoftwareDistributionConfig
Set the configuration of the Group Policy service.	Set-MobilePolicyServiceConfig
Set the global device management configuration values.	Set-DeviceManagementConfig
Suspend all currently active device inventory collection tasks.	Disable-MDMInventory
Update the current configuration of the Enrollment service by using the provided values.	Set-EnrollmentConfig
Update the global VPN settings shared among all computers that are running MDM Gateway Server.	Set-MDMGlobalGatewayConfig
Update the Resultant Set of Policy (RSoP) held by the server for a given device.	Update-MobilePolicyCalculation

DeviceSupport

The following shows the tasks that a user who has the DeviceSupport role can perform.

Task	Cmdlet
Remove a wipe request for the specified managed Windows Mobile powered device if the wipe request is yet unprocessed.	Remove-WipeRequest
Add a compromised managed device to the blocked device table.	Add-BlockedDevice
Create a new managed device enrollment request.	New-EnrollmentRequest
Create a new wipe request that deletes all content on the targeted managed device.	New-WipeRequest
Remove a managed device from the Blocked Device Table.	Remove-BlockedDevice
Remove a pending enrollment request for a managed device.	Remove-EnrollmentRequest
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed.	Remove-WipeRequest
Return information about devices that MDM manages.	Get-MDMDevice
Return information about the current set of managed devices that are blocked	Get-BlockedDevice
Return operational log entries from the Enrollment service database.	Get-EnrollmentServiceLog
Return pending managed device enrollment requests.	Get-EnrollmentRequest
Return status information for the specified managed device.	Get-MDMDeviceStatus
Return the collection of servers in MDM.	Get-MDMServer
Return the complete set of collected inventory data for the specified managed device.	Get-MDMDeviceInventory
Return the complete set of transaction information for the specified managed device from the server operations log file.	Get-MDMDeviceHistory
Return the current configuration of the Enrollment service.	Get-EnrollmentConfig
Return the current configuration of the Group Policy service.	Get-MobilePolicyServiceConfig
Return the current configuration of MDM software distribution service.	Get-SoftwareDistributionConfig
Return the current configuration of the wipe service.	Get-WipeConfig
Return the current gateway-specific settings and the last known configuration status.	Get-MDMGatewayServer
Return the current global device management configuration.	Get-DeviceManagementConfig
Return the currently active device inventory collection tasks.	Get-MDMInventoryItem
Return the global VPN settings shared among all computers that are running MDM Gateway Server.	Get-MDMGlobalGatewayConfig
Return the unprocessed wipe requests for the specified managed device.	Get-WipeRequest
Update the RSoP held by the server for a given device.	Update-MobilePolicyCalculation

HelpdeskOperator

The following shows the tasks that a user who has the HelpDeskOperator role can perform.

Task	Cmdlet
Create a new managed device enrollment request.	New-EnrollmentRequest
Remove a pending enrollment request for a managed device.	Remove-EnrollmentRequest
Return information about devices that MDM manages.	Get-MDMDevice
Return information about the current set of managed devices that are blocked.	Get-BlockedDevice
Return operational log entries from the Enrollment service database.	Get-EnrollmentServiceLog
Return pending managed device enrollment requests.	Get-EnrollmentRequest
Return status information for the specified managed device.	Get-MDMDeviceStatus
Return the collection of servers in MDM.	Get-MDMServer
Return the complete set of collected inventory data for the specified managed device.	Get-MDMDeviceInventory
Return the complete set of transaction information for the specified managed device from the server operations log file.	Get-MDMDeviceHistory
Return the current configuration of the Enrollment service.	Get-EnrollmentConfig
Return the current configuration of the Group Policy service.	Get-MobilePolicyServiceConfig
Return the current configuration of MDM software distribution service.	Get-SoftwareDistributionConfig
Return the current configuration of the wipe service.	Get-WipeConfig
Return the current gateway-specific settings and the last known configuration status.	Get-MDMGatewayServer
Return the current global device management configuration.	Get-DeviceManagementConfig
Return the currently active device inventory collection tasks.	Get-MDMInventoryItem
Return the global VPN settings shared among all computers that are running MDM Gateway Server.	Get-MDMGlobalGatewayConfig
Return the unprocessed wipe requests for the specified managed device.	Get-WipeRequest
Update the RSoP held by the server for a given device.	Update-MobilePolicyCalculation

ServerAdministrators

The following shows the tasks that a user who has the ServerAdministrators role can perform.

Task	Cmdlet
Add a new computer that is running MDM Gateway Server to MDM.	Add-MDMGatewayServer
Configure the properties of the wipe service.	Set-WipeConfig
Disable Windows Preprocessor (WPP) logging for one or more components. Note: A user who has local administrator privileges can perform this task locally on the server. A user who has the ServerAdministrators role can use the cmdlet with the appropriate parameters to perform this task remotely, or on the local server, without requiring local administrative credentials.	Disable-MDMTrace
Enable WPP logging for one or more components. Note: A user who has local administrator privileges can perform this task locally on the server. A user who has the ServerAdministrators role can use the cmdlet with the appropriate parameters to perform this task remotely, or on the local server, without requiring local administrative credentials.	Enable-MDMTrace
Remove MDM Gateway Server and all corresponding properties from MDM.	Remove-MDMGatewayServer
Return information about devices that MDM manages.	Get-MDMDevice
Return information about the current set of managed devices that are blocked.	Get-BlockedDevice
Return operational log entries from the Enrollment service database.	Get-EnrollmentServiceLog
Return pending managed device enrollment requests.	Get-EnrollmentRequest
Return status information for the specified managed device.	Get-MDMDeviceStatus
Return the collection of servers in MDM.	Get-MDMServer
Return the complete set of collected inventory data for the specified managed device.	Get-MDMDeviceInventory
Return the complete set of transaction information for the specified managed device from the server operations log file.	Get-MDMDeviceHistory
Return the current configuration of the Enrollment service.	Get-EnrollmentConfig
Return the current configuration of the Group Policy service.	Get-MobilePolicyServiceConfig
Return the current configuration of the wipe service.	Get-WipeConfig
Return the current gateway-specific settings and the last known configuration status.	Get-MDMGatewayServer
Return the current global device management configuration.	Get-DeviceManagementConfig
Return the currently active device inventory collection tasks.	Get-MDMInventoryItem
Return the global VPN settings shared among all computers that are running MDM Gateway Server.	Get-MDMGlobalGatewayConfig
Return the unprocessed wipe requests for the specified managed device.	Get-WipeRequest
Set the configuration of the Group Policy service.	Set-MobilePolicyServiceConfig
Return the current configuration of MDM software distribution service.	Get-SoftwareDistributionConfig
Set the configuration of MDM software distribution service.	Set-SoftwareDistributionConfig
Set the global device management configuration values.	Set-DeviceManagementConfig
Start the VPN service on the specified MDM Gateway Server.	Start-MDMVPNService
Stop the VPN service on the specified MDM Gateway Server.	Stop-MDMVPNService
Update the current configuration of the Enrollment service by using the provided values.	Set-EnrollmentConfig
Update the current settings for the specified MDM Gateway Server.	Set-MDMGatewayServer
Update the global VPN settings shared among all computers that are running MDM Gateway Server.	Set-MDMGlobalGatewayConfig
Update the RSoP held by the server for a given device.	Update-MobilePolicyCalculation

Tasks and Administrator Roles by Cmdlet

The following shows the tasks that each role can perform.

Task	Cmdlet	Required Admin Role
Add a compromised managed device to the blocked device table.	Add-BlockedDevice	DeviceAdministrators DeviceSupport
Add a new computer that is running MDM Gateway Server to MDM.	Add-MDMGatewayServer	ServerAdministrators
Suspend all currently active device inventory collection tasks.	Disable-MDMInventory	DeviceAdministrators
Disable WPP logging for one or more components.	Disable-MDMTrace	ServerAdministrators or local machine administrators when run from a computer that is running MDM when there are no local administrator privileges.
Resume all device inventory collection tasks that were suspended with the Disable-MDMInventory cmdlet.	Enable-MDMInventory	DeviceAdministrators
Enable WPP logging for one or more components.	Enable-MDMTrace	ServerAdministrators role, or local machine administrators when run from a computer that is running MDM when there are no local administrator privileges.
Return information about the current set of managed devices that are blocked.	Get-BlockedDevice	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return the current global device management configuration.	Get-DeviceManagementConfig	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return the current configuration of the Enrollment service.	Get-EnrollmentConfig	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return pending managed device enrollment requests.	Get-EnrollmentRequest	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return operational log entries from the Enrollment service database.	Get-EnrollmentServiceLog	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return information about managed devices that controls.	Get-MDMDevice	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return the complete set of transaction information for the specified managed device from the server operations log file.	Get-MDMDeviceHistory	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return the complete set of collected inventory data for the specified managed device.	Get-MDMDeviceInventory	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return status information for the specified managed device.	Get-MDMDeviceStatus	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return the current gateway-specific settings and the last known configuration status.	Get-MDMGatewayServer	ServerAdministrators DeviceSupport HelpdeskOperator
Return the global VPN settings shared among all computers that are running MDM Gateway Server.	Get-MDMGlobalGatewayConfig	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return the currently active device inventory collection tasks.	Get-MDMInventoryItem	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return the collection of servers in MDM.	Get-MDMServer	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return the current configuration of the Group Policy service.	Get-MobilePolicyServiceConfig	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return the current configuration of MDM software distribution service.	Get-SoftwareDistributionConfig	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return the current configuration of the wipe service.	Get-WipeConfig	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Return the unprocessed wipe requests for the specified managed device.	Get-WipeRequest	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator
Create a new managed device enrollment request.	New-EnrollmentRequest	DeviceAdministrators DeviceSupport HelpdeskOperator
Create a new device inventory collection task.	New-MDMInventoryItem	DeviceAdministrators
Create a new wipe request that deletes all content on the targeted managed device.	New-WipeRequest	DeviceAdministrators DeviceSupport
Remove a managed device from the Blocked Device Table.	Remove-BlockedDevice	DeviceAdministrators DeviceSupport
Remove a pending enrollment request for a managed device.	Remove-EnrollmentRequest	DeviceAdministrators DeviceSupport HelpdeskOperator
Remove operational log entries from the Enrollment service database.	Remove-EnrollmentServiceLog	DeviceAdministrators
Remove MDM Gateway Server and all corresponding properties from MDM.	Remove-MDMGatewayServer	ServerAdministrators
Remove the specified device inventory collection task from the task list on the server.	Remove-MDMInventoryItem	DeviceAdministrators
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed.	Remove-WipeRequest	DeviceAdministrators DeviceSupport
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed.	Remove-WipeRequest	DeviceAdministrators DeviceSupport
Set all device inventory collection settings to their default values.	Restore-MDMInventoryDefaults	DeviceAdministrators
Set the global device management configuration values.	Set-DeviceManagementConfig	ServerAdministrators DeviceAdministrators
Update the current configuration of the Enrollment service by using the provided values.	Set-EnrollmentConfig	ServerAdministrators DeviceAdministrators
Update the current settings for the specified MDM Gateway Server.	Set-MDMGatewayServer	ServerAdministrators
Update the global VPN settings shared among all computers that are running MDM Gateway Server.	Set-MDMGlobalGatewayConfig	ServerAdministrators DeviceAdministrators
Set the collection frequency for a device inventory collection item.	Set-MDMInventoryItem	DeviceAdministrators
Set the configuration of the Group Policy service.	Set-MobilePolicyServiceConfig	ServerAdministrators DeviceAdministrators
Set the configuration of MDM software distribution service.	Set-SoftwareDistributionConfig	ServerAdministrators DeviceAdministrators
Configure the properties of the wipe service.	Set-WipeConfig	ServerAdministrators DeviceAdministrators
Start the VPN service on the specified MDM Gateway Server.	Start-MDMVPNService	ServerAdministrators
Stop the VPN service on the specified MDM Gateway Server.	Stop-MDMVPNService	ServerAdministrators
Update the RSoP held by the server for a given device.	Update-MobilePolicyCalculation	ServerAdministrators DeviceAdministrators DeviceSupport HelpdeskOperator

Reference

Server Infrastructure Roles in MDM

Site Feedback