Server Infrastructure Roles in MDM
2/9/2009
System Center Mobile Device Manager uses role-based access control. Unlike an authentication system that specifies who a user is, role-based access is an authorization system that specifies what a user is authorized to access and what tasks that person can perform.
The following shows the server infrastructure roles:
- DeviceManagementServers
- EnrollmentServers
- SelfService
These roles are represented through MDM infrastructure groups that the Active Directory Configuration Tool (ADConfig) creates. For more information about these groups, see ADConfig Tool.
Tasks by Infrastructure Role
The following shows the tasks that each infrastructure role gives users.
DeviceManagementServers
The DeviceManagementServers role is represented through the SCMDMDeviceManagementServers (<instance name>) infrastructure group that ADConfig creates.
The following shows the tasks that a user who has the DeviceManagementServers role can perform.
| Cmdlet | Task |
|---|---|
Add a compromised managed Windows Mobile device to the blocked device table. |
|
Return an MDMInstance object that represents the instance that the current MDM Shell is managing. |
|
Return an MDMInstance object that represents the MDM instances in an organization. |
EnrollmentServers
The EnrollmentServers role is represented through the SCMDMEnrollmentServers (<instance name>) infrastructure group that ADConfig creates.
The following shows the tasks that a user who has the EnrollmentServers role can perform.
| Cmdlet | Task |
|---|---|
Return information about the current set of managed devices that are blocked. |
|
Return an MDMInstance object that represents the instance that the current MDM Shell is managing. |
|
Return an MDMInstance object that represents the MDM instances in an organization. |
SelfService
The SelfService role is represented through the SCMDMSelfServiceServers (<instance name>) infrastructure group that ADConfig creates.
The following shows the tasks that a user who has the SelfService role can perform.
| Cmdlet | Task |
|---|---|
Return the current global device management configuration. |
|
Return the current configuration of the Enrollment service. |
|
Return pending managed device enrollment requests. |
|
Return an MDMInstance object that represents the instance that the current MDM Shell is managing. |
|
Return information about devices that MDM manages. |
|
Return status information for the specified managed device. |
|
Return the global virtual private network (VPN) settings shared among all computers that are running MDM Gateway Server. |
|
Return an MDMInstance object that represents the MDM instances in an organization. |
|
Return the current configuration of the Group Policy service. |
|
Return the current configuration of MDM software distribution service. |
|
Return the current configuration of the wipe service. |
|
Return the unprocessed wipe requests for the specified managed device. |
|
Create a new managed device enrollment request. |
|
Create a new wipe request that deletes all content on the targeted managed device. |
|
Remove a pending enrollment request for a managed device. |
|
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
|
Configure the current MDM Console to manage a specific MDM instance. .gif "Dd261822.note(en-us,TechNet.10).gif") Note:
Anyone who has access to MDM Console can run this cmdlet.
|
Tasks and Administrator Roles by Cmdlet
The following shows the tasks that each role can perform.
| Cmdlet | Task | Required Admin Role |
|---|---|---|
Add a compromised managed device to the blocked device table. |
DeviceManagementServers |
|
Return information about the current set of managed devices that are blocked. |
EnrollmentServers |
|
Return the current global device management configuration. |
SelfService |
|
Return the current configuration of the Enrollment service. |
SelfService |
|
Return pending managed device enrollment requests. |
SelfService |
|
Return an MDMInstance object that represents the instance that the current MDM Shell is managing. |
DeviceManagementServers EnrollmentServers SelfService |
|
Return information about managed devices that controls. |
SelfService |
|
Return status information for the specified managed device. |
SelfService |
|
Return the global virtual private network (VPN) settings shared among all computers that are running MDM Gateway Server. |
SelfService |
|
Return an MDMInstance object that represents the MDM instances in an organization. |
DeviceManagementServers EnrollmentServers SelfService |
|
Return the current configuration of the Group Policy service. |
SelfService |
|
Return the current configuration of MDM software distribution service. |
SelfService |
|
Return the current configuration of the wipe service. |
SelfService |
|
Return the unprocessed wipe requests for the specified managed device. |
SelfService |
|
Create a new managed device enrollment request. |
SelfService |
|
Create a new wipe request that deletes all content on the targeted managed device. |
SelfService |
|
Remove a pending enrollment request for a managed device. |
SelfService |
|
Remove a wipe request for the specified managed device if the wipe request is yet unprocessed. |
SelfService |
|
Configure the current MDM Console to manage a specific MDM instance. Note:
Anyone who has access to MDM Console can run this cmdlet.
|
SelfService |