Assigning and removing device user roles

The Manage administrators and device spaces role is required for this task. Assign roles to enable access to product features available through the user portal.

NOTE: When modifying permissions or roles for local or LDAP users, you must log out and log back in to the Admin Portal for your changes to take effect.

Procedure 

  1. From the Admin Portal, go to Devices & Users > Users.

  2. Select one or more local users or LDAP groups.

    Use the To: field to change between displaying local users and LDAP entities.

  3. Click Actions and select Assign Roles.
  4. Select roles for the users.
  5. Click Save.

MobileIron Core recognizes the following roles for device users:

Table 1. User roles

Roles

Description

User Portal

Allows access to the user portal.

For Windows Phone (8.0) this role is required for registration.

With User Portal selected, you can choose to enable or disable the following roles:

  • Wipe Device
  • Lock Device
  • Unlock Device
  • Locate Device
  • Retire Device
  • Register Device
  • Change Device Ownership
  • Reset PIN
  • Reset Secure Apps Passcode

Local users receive User Portal access by default, but LDAP users do not.

Wipe Device

Enables device users to wipe their phones through the user portal.

Warning: Wipe is destructive and cannot be reversed. Do not select this option unless you want to enable end users to wipe their devices.

Lock Device

Enables device users to lock their phones from the user portal.

Unlock Device

Enables device users to unlock their phones through the user portal.

Locate Device

Enables device users to locate their phones from the user portal.

Retire Device

Enables device users to unregister their phones through the user portal.

Register Device

Enables device users to register phones from the user portal.

Change Device Ownership

Enables device users to change ownership from Employee Owned to Company Owned or vice-versa.

Changing device ownership from company-owned to employee-owned or vice-versa may impact:

  • the policies and configurations that are applied to the device.
  • the apps that are available through Apps@Work.
  • iBooks that are available on the device.

Devices are impacted when they check-in with MobileIron depending on the labels to which company-owned or employee-owned devices are applied.

Reset PIN

Enables device users to reset the device PIN on Windows devices.

Reset Secure Apps Passcode

Enables device users to reset the secure apps passcode on Android and iOS devices.

Use Google Device Account (for Android enterprise device only)

This selection is for configuring the Android shared-kiosk mode. See "Configuring a staging user" in the MobileIron Core Device Management Guide for Android and Android enterprise Devices.

Use Apple User Enrollment (For Apple unsupervised device only)

This selection is for User Enrollment with Apple Business Manager. For more information, see "User Enrollment with Apple Business Manager" in the MobileIron Core Device Management Guide for iOS and macOS Devices.

Enable Authenticator Only Role

Select to enable users to register their unmanaged mobile device in Authenticator Only mode. This user role designates an unmanaged mobile device as the user's identity and authentication factor. Designating a mobile device as the user's identity allows users to take advantage of zero sign-on features, which allow passwordless access to SaaS applications and other business services.

NOTE: If the role is removed, the devices registered by user are also retired.

When you assign the Enable Authenticator Only Role to a user, the Retire Device and Register Device User Portal roles are selected by default. The Retire Device and Register Device roles are the only User Portal roles available for Authenticator Only users. All other User Portal roles are grayed out.

For information about registering devices in Authenticator Only mode, see "Authenticator Only with MobileIron Access" in the MobileIron Access Guide.

The new roles take effect the next time an affected user logs in. A user who is logged in when the change is made must log out and log back in to see the effects of the change.