User management overview

This chapter explains how to manage local and LDAP users for Admin Portal. For information on managing local users in System Manager, refer to MobileIron Core System Manager Guide.

The main topics in this overview include:

• Types of users
• The misystem user
• Local users created during setup
• Users and roles
• User roles and LDAP groups
• Enforce Single Session role and concurrent session control

Types of users

MobileIron Core supports local users and LDAP users.

• LDAP users are imported from your organization’s LDAP server.

  In most cases, you will configure an LDAP server and import LDAP users.

• Local users are entities created in the local MobileIron database. They are not known to the network or other corporate services.

  Local users are best for the following scenarios:

  -

  administration

  -

  testing

Local users created in the Admin Portal can be used for registering devices and accessing the Admin Portal and the user portal. Local users created in the System Manager can be used in the System Manager and the CLI.

The misystem user

The misystem user is a default MobileIron Core user used for the following tasks:

• creates the default rules and policies
• executes system maintenance tasks

This user is not listed in the Admin Portal, and it has no roles assigned to it.

Local users created during setup

The local user you define during setup actually results in two local users, one in the Admin Portal and one in the System Manager.

Figure 1. Local users created during setup

Though these two users start with the same name and password, they are separate users stored in separate databases. Changes made to one do not affect the other. For example, if you change the password for the Admin Portal user, the password for the System Manager user does not change.

Users and roles

• You work with the following basic user and administrator types in the Admin Portal:
• Device users: end users who use the managed devices (owned by themselves or the enterprise).
• Super Administrators: manage devices and users throughout MobileIron Core. These administrators are assigned to the global space. The role that these administrators have that set them apart is Manage administrators and device spaces. Only administrators with this role can create and manage device spaces and assign roles and device spaces to administrators. MobileIron Core can have one or more Super Administrators.

• Global Administrators: manage devices throughout MobileIron Core. These administrators are assigned to the global space and can be assigned any roles other than Manage administrators and device spaces.

  NOTE:

  In order for users with global space permissions to see the App tab in the Dashboard, they need to be granted View App Dashboard permissions. See Viewing the App Dashboard.

• Device Space Administrators: manage only the devices and users assigned to the device spaces to which they are assigned. For example, an administrator assigned to the Dallas Help Desk device space can only manage devices assigned to that device space. The roles that can be assigned to Device Space Administrators are limited. For example, Device Space Administrators, if assigned the correct role, can view configurations or apply and remove configurations from a label. However, they cannot create or edit configurations.

User roles and LDAP groups

In a large organization, assigning roles to individual users can be cumbersome. Instead, you can assign roles to LDAP groups or organizational units. By assigning roles to an LDAP group or organizational unit, you apply a given role to all the members of the group or organization unit at once.

Enforce Single Session role and concurrent session control

Concurrent session control is applied to administrators by assigning them the Enforce Single Session role. The concurrent session control feature automatically logs off a MobileIron Core session if the administrator has logged in on another machine or browser.

NOTE:

An administrator can use multiple tabs of a single browser without being logged off. An administrator can also use multiple windows of the same browser on the same machine without being logged off.

To enable concurrent session control:

Procedure 

1. From the Admin Portal, go to Admin > Admins.
2. Select an administrator.
3. Go to Actions > Edit Roles.
4. Select Enforce Single Session.

5. Click Save.

   The role appears as Enforce single session (all spaces) in the list of roles for the administrator.