Delegated administration support has been extended to managing configurations in a device space.
Creating a custom configuration in a device space
Creating a custom configuration in a device space is similar to creating a configuration in a global space. The configurations created in a device space is usable only in that space. The configurations created in a subspace by the Space administrator cannot be used in the global space.
Managing configuration supported in device space
To manage configurations in a device space, the Manage Configuration role has been made available for a Device Space administrator. An administrator with this role can access the configurations tab in the Admin Portal under Policies & Configs > Configurations.
A Space administrator can view the configurations in their own space and the global space. The Global administrator can view configurations in the global space and any device space.
To filter configurations by space:
In the Admin Portal go to Policies & Configs > Configurations
Click the Spaces drop-down list.
Select the Space to display the configurations in the space.
A new Space column has been added to the Configurations page to display the device space name associated with the selected Configuration. The Space column is only shown when there is any device space other than the global space in the Core.
The Add New drop-down list Policies & Configs> Configurations, supports the following configurations that are managed in a device space:
- Exchange: The option allows you to customize the exchange configuration for the device or global space.
- Email: Securely synchronize data from back-end systems such as corporate email.
- Wi-Fi: Enable or disable access to wireless LANs.
- VPN: This option is used to secure network connection over a public network. A mobile device uses a VPN
- client to securely access protected corporate networks.
- Certificates: The Policies & configs> Configurations> Add New> Certificates option allows you to create a new certificate in your device space. If the configuration is created in device space, then it is visible in device and global space only.
- Certificate Enrollment: The Policies & configs> Configurations> Add New> Certificate Enrollment supports managing the following configurations in a device space:
- Symantec Managed PKI
- Symantec Web Services Managed PKI
iOS Restrictions: The Policies & configs> Configurations> Add New> iOS and macOS > iOS Only> Restrictions option allows you to configure restriction on your iOS devices through the device space.
Certificate Management: The Logs > Certificate Management is available for device space:
Device Space administrators can see and perform actions on certificates generated by their own certificate enrollment configuration.
The Edit button in the Configuration Details pane is enabled only if the selected configuration belongs to the current space.
The Delete action from the Actions drop-down list is accessible only if the Delete Configuration role is assigned to the administrator. The Delete button is enabled only if the selected configuration belongs to the current space.
The Apply and Remove Label action is available if the administrator has the Apply and Remove Label or Manage configuration roles. In a Global space, the administrator cannot perform the Apply and Remove Label action on a subspace configuration. Hence, this action would be disabled when a subspace configuration is selected. In a subspace, administrator can perform Apply/Remove Label action on his configuration as well as Global configuration.
The Save As action is available in a subspace if the selected configuration is one of the supported configurations that are listed above and the Save as action itself is supported for that configuration.
The Export and Import options are disabled in a subspace. A Global administrator can export a configuration that belongs to a Global space or any subspace, however an import action will always result in the configuration being imported in the Global space.
A configuration may depend on other configurations, Local CA, Certificate, Certificate Enrollment, Apps and so on. While creating a configuration the dependent configurations to be listed varies from case to case. But the general rule followed is that configurations from the current space and its parent space will be listed. Dependent configurations from child space cannot be used in parent space. This rule is an exclusion for Apps in Wi-Fi, Apps from a child space are also listed along with Apps from current and parent space.
For more information about these configurations, see the Ivanti EPMM Device Management Guide.