Assigning and removing device user roles

The Manage administrators and device spaces role is required for this task. Assign roles to enable access to product features available through the user portal.

When modifying permissions or roles for local or LDAP users, you must log out and log back in to the Admin Portal for your changes to take effect.

Procedure 

  1. From the Admin Portal, go to Devices & Users > Users.
  2. Select one or more local users or LDAP groups.

    Use the To: field to change between displaying local users and LDAP entities.

  3. Click Actions and select Assign Roles.
  4. Select roles for the users.
  5. Click Save.

Ivanti EPMM recognizes the following roles for device users:

Table 7.   User roles
Roles Description

Self-Service User Portal

Allows access to the user portal.

For Windows Phone (8.0) this role is required for registration.

With Self-Service User Portal selected, you can choose to enable or disable the following roles:

  • Wipe Device
  • Lock Device
  • Unlock Device
  • Locate Device
  • Retire Device
  • Register Device
  • Change Device Ownership
  • Reset PIN
  • Reset Secure Apps Passcode

Local administrative users must be assigned the User Portal role to allow them to reset their password.

Local users receive User Portal access by default, but LDAP users do not.

Wipe Device

Enables device users to wipe their phones through the user portal.

Warning: Wipe is destructive and cannot be reversed. Do not select this option unless you want to enable end users to wipe their devices.

Lock Device

Enables device users to lock their phones from the user portal.

Unlock Device

Enables device users to unlock their phones through the user portal.

Locate Device

Enables device users to locate their phones from the user portal.

Retire Device

Enables device users to unregister their phones through the user portal.

Register Device

Enables device users to register phones from the user portal.

Change Device Ownership

Enables device users to change ownership from Employee Owned to Company Owned or vice-versa.

Changing device ownership from company-owned to employee-owned or vice-versa may impact:

  • The policies and configurations that are applied to the device.
  • The apps that are available through Apps@Work.
  • iBooks that are available on the device.

Devices are impacted when they check-in with Ivanti EPMM depending on the labels to which company-owned or employee-owned devices are applied.

Reset PIN

Enables device users to reset the device PIN on Windows devices.

Reset Secure Apps Passcode

Enables device users to reset the secure apps passcode on Android and iOS devices.

Use Google Device Account (for Android Enterprise device only)

This selection is for configuring the Android shared-kiosk mode. See "Configuring a staging user" in Getting Started with Ivanti EPMM.

Allow Account Driven Apple User Enrollment

Allows Apple device users to self-enroll from the Settings page on their device, thus making their device managed. For more information, see "Account-driven Apple User Enrollment" in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Force User Enrollment for non-supervised iOS device registrations.

This selection is for User Enrollment with Apple Business Manager. For more information, see "User Enrollment with Apple Business Manager" in the Ivanti EPMM Device Management Guide for iOS and macOS devices.

Enable Authenticator Only Role

Select to enable users to register their unmanaged mobile device in Authenticator Only mode. This user role designates an unmanaged mobile device as the user's identity and authentication factor. Designating a mobile device as the user's identity allows users to take advantage of Zero Sign-on features, which allow passwordless access to SaaS applications and other business services.

If the role is removed, the devices registered by user are also retired.

When you assign the Enable Authenticator Only Role to a user, the Retire Device and Register DeviceUser Portal roles are selected by default. The Retire Device and Register Device roles are the only User Portal roles available for Authenticator Only users. All other User Portal roles are grayed out.

For information about registering devices in Authenticator Only mode, see "Authenticator Only with Access" in the Ivanti Access Guide.

The new roles take effect the next time an affected user logs in. A user who is logged in when the change is made must log out and log back in to see the effects of the change.