Creating device spaces and assigning administrators

Global administrators are the only administrators that can create, edit and delete device spaces, assign and remove administrators, and assign roles and permissions to and remove them from administrators.

Assigning an administrator to a device space enables that administrator to manage devices assigned to that device space. The administrative tasks that the administrator can perform depend on the roles assigned to that administrator. Administrators can be assigned to more than one device space and can have different roles and permissions in each assigned device space.

Although Global Administrators have roles that enable them to perform specific tasks, they can perform these tasks only in device spaces to which they are assigned. By default, these administrator types are assigned to the global space, but not to individual device spaces.

Creating device spaces is a two-step process.

  • First, you name the device space (for example, France Android) and define criteria that determine which devices belong to the device space (for example, all Android devices used in the France help desk group).
  • Second, you select the administrators for the device space and assign them the roles they need to perform the management actions you have chosen for administrators in this device space.

When creating device spaces:

  • Ivanti recommends that you assign administrators to the new device space and assign them the roles necessary for their planned management tasks before closing the dialog. Assigning administrators and roles later limits you to adding administrators and roles one at a time rather than as a group.
  • Using the New Admin Space dialog, you can only select one set of users and assign them one set of roles.
  • For devices assigned to device spaces, an administrator assigned the necessary roles can view the name of the device space to which the device is assigned in the Devices page.

After deciding how to use delegated administration in your Ivanti EPMM system, create the device spaces, assign administrators to the device spaces, and then assign roles to the administrators using the following procedure:

Procedure 

  1. In Admin Portal, go to Admin > Device Spaces.

  2. Click Add+ to add a device space.

  3. Enter the name for the device space in Space Name.

  4. To specify which devices are assigned to the device space, create a query using the All and Any buttons and the Fields, Operators and Values fields displayed (see Specifying devices for device spaces for details).

  5. Click Save to create the device space and move to assigning administrators to the device space.

  6. To assign administrators to the device space, complete one of the following actions:

    1. Click LDAP Entities, select LDAP OU, LDAP Groups, or LDAP Users, and then enter one or more characters in the search box below LDAP Entities to display a list of LDAP users that meet the search criteria (see Filtering users by OUs and groups for details).
    2. Click Individual Admins, and then enter one or more characters in the search box next to Individual Admins to display a list of local users that meet the search criteria.
  7. Select the device space administrators from the list.

  8. Select roles for the device space administrators from the lists of roles in the dialog (see “Editing administrator roles” in Getting Started with Ivanti EPMM for information about the available roles and permissions).

  9. When you select a role from one of the categories, Device Management for example, the permissions for the selected role move from the Available Permissions column to the Selected Permissions column. If the permissions associated with a role are included in a previously selected role, no permissions are added to the Selected Permissions column.

The new device space status is Pending after you click Save. Until the status of all device spaces is Active rather than Pending, the device counts for the device spaces are not reliable and devices may not be listed in the correct device space.

Updating device spaces

Updating device spaces involves several Ivanti EPMM actions:

  • Update device space
  • Device space evaluation
  • LDAP synchronization

You update device spaces after creating spaces or changing device space priority. Ivanti recommends that you wait until you finish creating all your device spaces, including assigning administrators and roles, or complete changing device space priority before you update device spaces. This saves system resources. Use the following procedure to update device spaces.

Procedure 

  1. Finish creating your device spaces or complete changing device space priorities.
  2. Click Update Spaces Now.

Ivanti EPMM displays a message that it might take several hours to update Ivanti EPMM with the new device space. The actual time it will take to update Ivanti EPMM with the new device space depends on the number of devices assigned to the device space, the priority of the new device space and how it affects the priorities of the other device spaces in Core.

Specifying devices for device spaces

This section explains how to use the query tool available in the New Admin Space dialog to select devices for device spaces. When specifying the criteria for selecting devices for a device space, follow these instructions to use the search tool provided in the New Admin Space dialog:

This procedure assumes that you are already defining a device space using the New Admin Space dialog.

Procedure 

  1. Click Any or All to specify whether the search result includes devices that meet one or more of the conditions (Any), or must meet all the specified conditions (All).

  2. Click the Field drop-down menu, navigate to the search field and select it (see Switching device spaces for the list of available fields).

    Type a few letters of the field name to display a list of matching fields, or press the Expand All button within the field list to display all possible fields.

  3. In Operator, select one of the possible operators for the selected field.

  4. In Value, select or enter the value for the selected search field.

    A green icon indicates that the query syntax is correct; a red icon indicates that the syntax is incomplete or incorrect.

  5. (Optional) Click the plus sign to the right of the query condition you just created to add another condition.

  6. (Optional) Repeat Step 2 through Step 5 for each additional query.

  7. (Optional) To remove a condition from the search criteria, click the minus sign to the right of that condition.

  8. A sample listing of the devices that meet the query criteria is displayed below the query as you complete each condition.

  9. Check the sample device list to ensure that the query results are returning the types of devices you intended. The sample list contains up to twenty devices. To test that the search criteria returns all the devices to be included, run the same query using Ivanti EPMM advanced search in the Devices tab.

Filtering users by OUs and groups

Expect the following behaviors and limitations when filtering users with these combinations of Organizational Units (OUs) and groups:

Table 2.  Behaviors and limitations

User filtering criteria one

Operation

User filtering criteria two

Behaviors and Limitations

OU or group

AND

OU or group

User filtering based on OU criteria is not applied. All (name-matching) users are listed. (Limitation)

OU or group

AND

Another user or device rule

Only the LDAP OU rule is applied. The other rule is not applied. (Limitation)

OU or group

OR

OU or group

Filtering from both criteria is applied. Users belonging to either of the search options are listed.

OU or group

OR

Another user or device rule

No user filtering is applied. All (name-matching) users are listed.

Searchable fields

The fields available as search criteria for devices assigned to a device space are divided into six categories: Android Fields, Common Fields, Custom Attributes, iOS Fields, User Fields and Windows Fields.

  • User Fields specify which users are connected with the devices.
  • Android Fields, Common Fields, iOS Fields, and Windows Fields are device related fields.
  • Custom Attributes are for user or device related fields to associate additional properties.

Example

To select an LDAP Field for the search item:

  1. Select User Fields and then LDAP.

    The choices listed for the search field depend upon how your LDAP server is set up.

  2. Select one of the following to specify the search field:

    • User Attributes, which lets you select a user attribute, such as displayName, as a search field.
    • LDAP User Locale
    • Principal
    • upn
    • Groups, which lets you specify an LDAP group.
    • LDAP User Distinguished Name.
    • LDAP Organizational Units Distinguished Name.
    • Attribute Distinguished Name

    To select a Device Field for the search item:

    1. Use the Field drop-down menu to select a device category.

      • Android Fields
      • Common Fields
      • Custom Attributes: Custom Attributes are added by going to Settings > Custom Attributes (in the Users & Devices section). Click Add+ to add values for the Custom Device Attribute or the Custom User Attribute.
      • iOS Fields
      • Windows Fields
    2. Click the arrow to left of the field type to specify a search parameter.
      For example select Common Fields > Serial Number to add "common.SerialNumber" = "" as a search parameter.

      Some administrator tasks are only available to administrators assigned to the global space. Only administrators assigned to the global space who are assigned the necessary roles can:

      • Create and edit device spaces.
      • Assign and remove administrator roles.
      • Assign administrators to and delete them from device spaces.
      • Access the V1 API.
      • Access the Settings and Services pages.

Switching device spaces

If you use delegated administration, all administrators will see a device space list at the top right of the Admin Portal. The list contains all the device spaces assigned to that administrator. The device spaces list is shown when an administrator has permission in more than one space. Using this list, administrators can easily switch between spaces without logging out and then logging in again.

To switch device spaces:

Procedure 

  1. Click the device space list at top right of the Admin Portal.
  2. Select the device space you want to manage next.

Managing device spaces

Managing device spaces for your Ivanti EPMM system can include:

  • Managing device space priority
  • Deleting device spaces
  • Editing device spaces
  • Assigning and removing administrators from device spaces, including the global space
  • Changing the roles assigned to device space administrators

Device space information for your Ivanti EPMM system is displayed when you go to Admin > Device Spaces. The information displayed includes:

Table 3.  Device space information

Column

Description

Space Name

Name given to device space

Criteria

Query that defines which devices are assigned to the device space

Admins

Administrators assigned to the device space

Status

Current status of the device space

Number of Devices

Number of devices currently assigned to the device space

Priority

Device space priority

Managing device space priority

Device spaces are assigned a priority when you create them. The first device space you create has the highest priority, which is Priority 1. The second device space you create has Priority 2.

Go to Admin > Device Spaces to view the priorities of device spaces. The priority of each device space is listed in the Priority column.

The global space is always assigned the lowest priority among the device spaces.

You can change device space priority at any time. To change device space priority:

Procedure 

  1. In Admin Portal, go to Admin > Device Spaces. The device spaces are listed in priority order. The device space with the highest priority is listed first.

  2. Select the device space to change.

  3. Drag the device space entry to the new priority position in the list. For example, to move HQ Space from the highest priority to the third-highest priority, select HQ Space from the list of device spaces and drag it to the third position in the list.

  4. Click Update Spaces Now to complete the device space change.

Until Ivanti EPMM completes the device space priority change, the number of devices in each device space is unreliable. When the status of all device spaces is Active, the update is complete and the device counts are correct for each device space.

Deleting device spaces

You can remove device spaces from Core. When you delete device spaces from Core:

  • Devices assigned to the deleted device space are assigned to a different device space. The device space each device is assigned to depends on the device criteria for the other device spaces in Ivanti EPMM and device space priority. For example, if DeviceA needs reassignment, Ivanti EPMM checks whether DeviceA meets the criteria for inclusion in the highest priority device space. If DeviceA does not meet that device space’s criteria, Ivanti EPMM continues down the priority list of device spaces until it finds the highest-priority device space for which DeviceA qualifies.

Devices that do not meet the criteria for any other device space are assigned to the global space.

  • Administrators assigned to the deleted device space are not reassigned. If they are administrators in other device spaces, those assignments remain. However, if they are not assigned as administrators in other device spaces, they no longer have any administrator roles or permissions.

To delete device spaces:

Procedure 

  1. In Admin Portal, go to Admin > Device Spaces.

  2. Check the box next to the name of the device space to delete. You can select and delete one or more device spaces.

  3. Click Actions and select Delete Space.

  4. Click Yes to confirm deleting the device space.

  5. Click Update Spaces Now.

The status of all devices assigned to the deleted device space is Pending until Ivanti EPMM processes the deletion. However, devices registered with Ivanti EPMM after you delete the device space are not assigned to the deleted device space.

While the Delete Space action is processed, actions such as Force Device Check-in, Change Language and Change Ownership cause devices assigned to the deleted device space to change device spaces immediately.

Therefore, while the status of devices assigned to the deleted device space is Pending and various device actions are occurring, device counts for all device spaces are unreliable.

Assigning administrators to spaces

Ivanti suggests that you add administrators to device spaces when you add device spaces to Core. The New Admin Space dialog enables you to assign a group of administrators to a device space and assign them the necessary roles. Assigning administrators after a device space is added allows you to add only one administrator at a time.

To assign an administrator to a space:

Procedure 

  1. In Admin Portal, go to Admin > Admins.

  2. In the To field, select Authorized Users or LDAP Entities.

  3. If you selected:

    • LDAP Entities, select an LDAP category (LDAP Groups, LDAP OU, LDAP Users), and then specify criteria in Search by Name for the LDAP user to assign as an administrator.
    • Authorized Users, enter criteria in Search by Name to find the local user to assign as an administrator.
  4. Click Enter to run the search, and then select one local or LDAP user from the search results.

  5. Go to Actions > Assign to Space.

  6. From Space Name, select the device space that the selected user will manage.

  7. Assign roles to the administrator for that device space (see “Editing administrator roles” in Getting Started with Ivanti EPMM for role and permission details).

  8. Click Save.

You cannot save the device space assignment until you assign the administrator at least one role.

Editing device space criteria

As an administrator you can edit device spaces to customize the criteria to your needs. You must have administrator privileges for the space you want to edit.

To edit a device space:

Procedure 

  1. In the Admin Portal, go to Admin > Device Spaces. If you cannot access the Admin tab you cannot edit the device space.

  2. Select the device space to edit.

  3. Select Edit Space from the Actions drop-down menu to display the Edit Space page.

  4. Enter the new Name for the space you wish to edit.

  5. Use the text field in the Criteria section to edit the existing criteria. Click Save.

The space goes into a pending state while the new criteria is being applied.